[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question on Matching SAD and Selectors
Dear Stephen,
Thank you very much for answering my questions. Yes, the triple parameter
used to look up SAD table for inbound traffic is: destination address,
security protocol (AH or ESP), and SPI. I typed wrong.
However, my intial question for that point is still there. Please look
the last paragraph of your email below,
>Inbound packet processing is described in detail on RFC 2401. The fields
>from the relevanrt IP header (e.g., the inner IP header for trunnel mode AH
>or ESP) MUST be checked against the selectors applied to the SA.
If SAD is looked up by the triple paramters of inbound packet,
a unique SA will be fund if it is active. Then, how can this
happen that the packet's selectors NOT match the revelant
selector values in SAD/SPD? (The trple parameter
is the KEY of SAD). IF this will not happen, why we shuold match selectors
for inbound traffic?
What we do if inbound triple (destination address, security protocol , and
SPI)
match a SAD entry but its selector does not match?
By the way, as my understanding, inbound traffic will look up inbound SAD
first
through the triple; while outbound traffic will look up outbound SPD
first then
find a SA in outbound SAD;
Does this mean inbound SPD not used by inbound traffic at least before IP
processing?
Thanks
Qu
At 10:24 AM 7/1/99 -0400, you wrote:
>
>>I see some ealier research using hash table indexed by SPI (for SPD),
>>or indexed by source/destination address (SAD), but the standard RFC2401
>>require two databases for each inbound and outbound:
>>
>>SPD should be looked up by selectors which have 6 data fields, for ourbound
>>traffic;
>
>Not all selectors will be used in every case, but yes, you do need to be
>able to make use of all selector types for outbound traffic.
>
>>SAD should be indexed by triple (Destination Add, Source Add, and SPI) and
>>looked up
>> by inbound traffic;
>
>No, the triple for lookup on inbound traffic is: destination address,
>security protocol (AH or ESP), and SPI.
>
>>Also, does this mean that
>> each SAD entry does not have to keep selector data field;
>> while inbound packet does not have to match its selector data fields
>>with inbound SPD?
>
>Inbound packet processing is described in detail on RFC 2401. The fields
>from the relevanrt IP header (e.g., the inner IP header for trunnel mode AH
>or ESP) MUST be checked against the selectors applied to the SA.
>
>Steve
>
>
Follow-Ups: