[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: inbound policy verification

To: richdr@microsoft.com
Subject: RE: inbound policy verification
From: Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.Com>
Date: Tue, 13 Oct 1998 10:36:59 -0700 (PDT)
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com


> 
> I think this inbound policy on H1 should *enforce* this.
> If somehow H2 should use SA1 to send to H1 (maliciously or accidentally),
> then H1 should reject the packets.
> 

In Page 17 of the Security Architecture Draft,

"Thus, to ensure consistent predictable processing, SPD entries MUST be
 ordered and the SPD MUST be searched in the same order, so that the
 first matching entry is consistently selected"

In section 5.2.1, there is a "NOTE" which says

"The correct matching policy will not be the first inbound policy found.
 If the check in (4) fails, steps (3) and (4) are repeated until all
 policy entries have been checked".

If the entries are "ordered" (as stated by the previous statement), why
search till we find a desired one for the packet ? I can take "ordered"
as "I have ordered my policy entries. If the first one matches and if
required IPSEC processing has not been done, drop the packet".

What was the intention behind the NOTE on section 5.2.1 ?
In case of wildcard PORTS/addresses would'nt it be nice for the
admin to set up the policy in the right order and get a consistent
behavior ?

-mohan

Prev by Date: Re: comments on VPN framework document
Next by Date: Security Policy Specification Language (SPSL)
Prev by thread: RE: inbound policy verification
Next by thread: IKE: minor clarification suggestions
Index(es):
- Main
- Thread