[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Inbound processing Q

To: ipsec@tis.com
Subject: Inbound processing Q
From: Stephen Waters <Stephen.Waters@digital.com>
Date: Fri, 29 May 1998 19:55:50 +0100
Cc: Stephen Waters <Stephen.Waters@digital.com>
Sender: owner-ipsec@ex.tis.com


	I have a Q related to the description of inbound processing in
the IPSEC architecture:

	When a responder processes an IKE/ESP phase-2 from a remote
peer, the SPD can be search for a policy 
	that matches the peer's IP address and supports one of the
cypher-suits being proposed. No other selcotor can
	be used to select the best SPD entry at this point.

	Once the inbound ESP-SA is in place and data starts arriving,
the packets are de-tunneled (say) and decrypted. At 
	that moment, if we are down to a packet that needs forwarding,
the selectors fields from the packet and the cypher-suit 	are
matched against the inbound SPD entries, and if no match is found, the
correct action appears to be to discard the 	packet!

	It seems that Inbound-specific SPD entries may need to include
more 'any' and 'wildcard' selector values than the 	outbound SPD
entries.

	This suggests that phase-2 should allow negotiation of selector
fields so the the responder can then find a policy that
	fuller covers the remote peer's selector ranges/explict
values/wildcards.

	Steve.

Prev by Date: RE: IPCOMP and IPSEC
Next by Date: RE: IPCOMP and IPSEC
Prev by thread: RE: Compression, encryption and authentication at a Security Gateway
Next by thread: Comments on the latest Security architecture draft
Index(es):
- Main
- Thread