Re: question on Inbound / Outbound SAD/SPD RFC2401

[Stephen Kent <kent@bbn.com>]

Qu,

>Thank you very much.  Since you answered my first question, then I have to
>correct
>my last question below.  Now I know matching the inbound selectors with
>inbound
>SAD/SPD after the inbound packet's triple paramter already found match,
>serve a verify or audit purpose in the case a packet sent over a SA by
>mistake.
>
>But before doing IPsec process, the may not all the selectors values
>be visible because of using ESP, this verfiy or audit phase can not be
>done before IPsec processing. So this mean a inbound packet can still be
>dropped after IP prcoessing becasue its selectors value do not
>match inbound SPD/SAD (although the triple parameter do match).
>Do you agree with me?

Yes.

>My another question is, by standard we have to distinguish inbound and
>outbound
>SPD and SAD, we have to implement 2*2= 4 database (or 4
>look up table)?   Although there is a lot of overlap, but, SA key
>exchange/negotiation phase
>must update both inbound and outbound SAD in a different way, plus both
>ends must update their
>SADs at the same time, and do it consistantly.  Is such a complexity
>indended by RFC2401
>and ISAKMP?

Yes.

Steve

---

References:

• Re: question on Matching SAD and Selectors
• From: Stephen Kent <kent@bbn.com>
• Re: question on Matching SAD and Selectors
• From: Qu Duan <qduan@ecutel.com>
• Re: question on Inbound / Outbound SAD/SPD RFC2401
• From: Qu Duan <qduan@ecutel.com>

---

• Prev by Date: Re: question on Matching SAD and Selectors
• Next by Date: Re: Revised Mobile IPv6 draft available
• Prev by thread: Re: question on Inbound / Outbound SAD/SPD RFC2401
• Next by thread: Re: question on Matching SAD and Selectors
• Index(es):
  • Main
  • Thread