[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question on Matching SAD and Selectors
Qu,
>However, my intial question for that point is still there. Please look
>the last paragraph of your email below,
>
>>Inbound packet processing is described in detail on RFC 2401. The fields
>>from the relevanrt IP header (e.g., the inner IP header for trunnel mode AH
>>or ESP) MUST be checked against the selectors applied to the SA.
>
>
>If SAD is looked up by the triple paramters of inbound packet,
>a unique SA will be fund if it is active. Then, how can this
>happen that the packet's selectors NOT match the revelant
>selector values in SAD/SPD? (The trple parameter
>is the KEY of SAD). IF this will not happen, why we shuold match selectors
>for inbound traffic?
Because the sender may have introduced inappropriate traffic on the SA, due
to a security failure at their end of the SA.
>What we do if inbound triple (destination address, security protocol , and
>SPI)
>match a SAD entry but its selector does not match?
Then you discard the traffic and audit the event.
>By the way, as my understanding, inbound traffic will look up inbound SAD
>first
>through the triple; while outbound traffic will look up outbound SPD
>first then
>find a SA in outbound SAD;
>
>Does this mean inbound SPD not used by inbound traffic at least before IP
>processing?
I don't understand this last question.
Steve
Follow-Ups:
References: