Re: an inbound SPD-check question

[Stephen Kent <kent@bbn.com>]

Stephen,

>Say I am processing an inbound packet that has IPSEC protection.  I have
>located the
>right SA and I have decoded the original packet.
>
>I am then required to check the SPD to see that the require security was
>applied for the
>packet I now have.  If the SPD check comes back with the answer "BYPASS"
>(i.e. no
>security required), do I dump the packet, or forward it?
>
>A bit of silly case (probably some mis-config somewhere), but it could
>happen.  If security
>has been successfully applied, it seems a bit naff to bin the packet because
>the inbound SPD
>check says the IPSEC protection was not required.

I'd drop the packet and make an audit log entry.  We want misconfigurations
to be detected and the SPD changed and if we don't provide feedback ...

Steve

---

Follow-Ups:

• Re: an inbound SPD-check question
• From: Dan McDonald <danmcd@Eng.Sun.Com>

References:

• an inbound SPD-check question
• From: Stephen Waters <Stephen.Waters@digital.com>

---

• Prev by Date: an inbound SPD-check question
• Next by Date: I-D ACTION:draft-shima-ipsec-isakmp-cke-type-00.txt
• Prev by thread: an inbound SPD-check question
• Next by thread: Re: an inbound SPD-check question
• Index(es):
  • Main
  • Thread