[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: arch-07 and protocol mode stored in SAD? Why?
> "IPsec protocol mode", and I am wondering why?
>
> 1) There is no way to set this field from PFKEY, as far as I can see
> (unless one takes a hint from presence of a PROXY_ADDRESS
> extension, but even then it would leave open how to choose between
> "wildcard" and "transport")
Another way to see is on the SADB_ACQUIRE message, what the
sadb_address_proto field is set to. If it's set to IPPROTO_IP or
IPPROTO_IPV6, then you can safely assume it's tunnel.
I have NEVER understood why people are so anal about tunnel vs. transport.
One is a case of the other, IMHO.
> But anyway, it would seem that the description of the
> tunnel/wildcard/transport mode would not belong to SAD, but into SPD and
> bundles.
I agree!
> eg... for each bundle
>
> Step. 1. Apply general tunnel (IPIP) to packet (if the bundle
> specifies a tunnel, e.g. my policy tells when to tunnel or
> not, SA knows nothing about it)
>
> Step. 2. Apply ESP or AH to packet (these don't care what the
> next protocol is, work equally well with IPIP and any other
> protocols)
I believe you'll find more than a few implementations that do things this
way.
Dan
Follow-Ups:
References: