[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on Matching SAD and Selectors

To: "Qu Duan" <qduan@ecutel.com>
Subject: Re: question on Matching SAD and Selectors
From: "Aaron Griggs" <agriggs@east.isi.edu>
Date: Thu, 1 Jul 1999 15:25:30 -0400
Cc: <ipsec@lists.tislabs.com>
References: <v04020a01b3a129f03667@[128.89.0.110]><3.0.5.32.19990630190935.00947560@192.168.50.149> <v04020a08b3a154522d0c@[128.89.0.110]>
Sender: owner-ipsec@lists.tislabs.com

> >Does this mean inbound SPD not used by inbound traffic at least before IP
> >processing?
>

For Outbound traffic, you must look at the Outbound SPD to find the
appropriate IPSec to do.  For inbound traffic, the sender found the IPSec so
you just look at the up the Triple (SPI, Dest IP, IPSec proto) to
authenticate and/or decrypt the packet.  This is at the IP layer but before
the transport layer.  At the transport layer, you look up the Inbound SPD to
make sure the proper IPSec was performed for this traffic.

Hope this helps,

Aaron

References:

Re: question on Matching SAD and Selectors

From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: IP Authentication Header implementation
Next by Date: Re: question on Inbound / Outbound SAD/SPD RFC2401
Prev by thread: Re: question on Inbound / Outbound SAD/SPD RFC2401
Next by thread: IP Authentication Header implementation
Index(es):
- Main
- Thread