[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on Matching SAD and Selectors

To: Stephen Kent <kent@bbn.com>
Subject: Re: question on Matching SAD and Selectors
From: Qu Duan <qduan@ecutel.com>
Date: Thu, 01 Jul 1999 12:08:25 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <v04020a01b3a129f03667@[128.89.0.110]>
References: <3.0.5.32.19990630190935.00947560@192.168.50.149>
Sender: owner-ipsec@lists.tislabs.com

Dear Stephen,

Thank you very much for answering my questions. Yes, the triple parameter 
used to look up SAD table for inbound traffic is: destination address,
security protocol (AH or ESP), and SPI.  I typed wrong.   

However, my intial question for that point is still there. Please look 
the last paragraph of your email below,   

>Inbound packet processing is described in detail on RFC 2401.  The fields
>from the relevanrt IP header (e.g., the inner IP header for trunnel mode AH
>or ESP) MUST be checked against the selectors applied to the SA.

If SAD is looked up by the triple paramters of inbound packet, 
a unique SA will be fund if it is active.  Then, how can this 
happen that the packet's selectors NOT match the revelant 
selector values in SAD/SPD?   (The trple parameter 
is the KEY of SAD).  IF this will not happen, why we shuold match selectors 
for inbound traffic?

What we do if inbound triple (destination address, security protocol , and
SPI)
match a SAD entry but its selector does not match?  

By the way, as my understanding, inbound traffic will look up inbound SAD
first 
through the triple;   while outbound traffic will look up outbound SPD
first then 
find a SA in outbound SAD; 

Does this mean inbound SPD not used by inbound traffic at least before IP
processing?

Thanks

Qu

At 10:24 AM 7/1/99 -0400, you wrote:
>
>>I see some ealier research using hash table indexed by SPI (for SPD),
>>or indexed by source/destination address (SAD), but the standard RFC2401
>>require two databases for each inbound and outbound:
>>
>>SPD should be looked up by selectors which have 6 data fields, for ourbound
>>traffic;
>
>Not all selectors will be used in every case, but yes, you do need to be
>able to make use of all selector types for outbound traffic.
>
>>SAD should be indexed by triple (Destination Add, Source Add, and SPI) and
>>looked up
>>    by inbound traffic;
>
>No, the triple for lookup on inbound traffic is: destination address,
>security protocol (AH or ESP), and SPI.
>
>>Also, does this mean that
>>   each SAD entry does not have to keep selector data field;
>>   while inbound packet does not have to match its selector data fields
>>with inbound SPD?
>
>Inbound packet processing is described in detail on RFC 2401.  The fields
>from the relevanrt IP header (e.g., the inner IP header for trunnel mode AH
>or ESP) MUST be checked against the selectors applied to the SA.
>
>Steve
>
>

Follow-Ups:

Re: question on Matching SAD and Selectors

From: Stephen Kent <kent@bbn.com>

Prev by Date: Encapsulation of IPsec Datagrams - Performance Question
Next by Date: IP Authentication Header implementation
Prev by thread: Re: Encapsulation of IPsec Datagrams - Performance Question
Next by thread: Re: question on Matching SAD and Selectors
Index(es):
- Main
- Thread