Re: question on Matching SAD and Selectors

[Stephen Kent <kent@bbn.com>]

Qu,

>However, my intial question for that point is still there. Please look
>the last paragraph of your email below,
>
>>Inbound packet processing is described in detail on RFC 2401.  The fields
>>from the relevanrt IP header (e.g., the inner IP header for trunnel mode AH
>>or ESP) MUST be checked against the selectors applied to the SA.
>
>
>If SAD is looked up by the triple paramters of inbound packet,
>a unique SA will be fund if it is active.  Then, how can this
>happen that the packet's selectors NOT match the revelant
>selector values in SAD/SPD?   (The trple parameter
>is the KEY of SAD).  IF this will not happen, why we shuold match selectors
>for inbound traffic?

Because the sender may have introduced inappropriate traffic on the SA, due
to a security failure at their end of the SA.

>What we do if inbound triple (destination address, security protocol , and
>SPI)
>match a SAD entry but its selector does not match?

Then you discard the traffic and audit the event.

>By the way, as my understanding, inbound traffic will look up inbound SAD
>first
>through the triple;   while outbound traffic will look up outbound SPD
>first then
>find a SA in outbound SAD;
>
>Does this mean inbound SPD not used by inbound traffic at least before IP
>processing?

I don't understand this last question.

Steve

---

Follow-Ups:

• Re: question on Inbound / Outbound SAD/SPD RFC2401
• From: Qu Duan <qduan@ecutel.com>
• Re: question on Matching SAD and Selectors
• From: "Aaron Griggs" <agriggs@east.isi.edu>

References:

• Re: question on Matching SAD and Selectors
• From: Qu Duan <qduan@ecutel.com>

---

• Prev by Date: IP Authentication Header implementation
• Next by Date: Re: Encapsulation of IPsec Datagrams - Performance Question
• Prev by thread: Re: question on Matching SAD and Selectors
• Next by thread: Re: question on Inbound / Outbound SAD/SPD RFC2401
• Index(es):
  • Main
  • Thread