[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question on Inbound / Outbound SAD/SPD RFC2401
Dear Steve,
Thank you very much. Since you answered my first question, then I have to
correct
my last question below. Now I know matching the inbound selectors with
inbound
SAD/SPD after the inbound packet's triple paramter already found match,
serve a verify or audit purpose in the case a packet sent over a SA by
mistake.
But before doing IPsec process, the may not all the selectors values
be visible because of using ESP, this verfiy or audit phase can not be
done before IPsec processing. So this mean a inbound packet can still be
dropped after IP prcoessing becasue its selectors value do not
match inbound SPD/SAD (although the triple parameter do match).
Do you agree with me?
My another question is, by standard we have to distinguish inbound and
outbound
SPD and SAD, we have to implement 2*2= 4 database (or 4
look up table)? Although there is a lot of overlap, but, SA key
exchange/negotiation phase
must update both inbound and outbound SAD in a different way, plus both
ends must update their
SADs at the same time, and do it consistantly. Is such a complexity
indended by RFC2401
and ISAKMP?
Thanks.
Qu
>>By the way, as my understanding, inbound traffic will look up inbound SAD
>>first through the triple; while outbound traffic will look up outbound SPD
>>first then find a SA in outbound SAD; Does this mean inbound SPD not used
>>by inbound traffic at least before IP processing?
>
>I don't understand this last question.
>
>Steve
>
>
Follow-Ups:
References: