[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Checking incoming traffic against SPD
I have a question concerning inbound IPsec processing.
RFC-2401 describes how incoming traffic should be handled,
(section 5.2 Processing Inbound IP Traffic):
"1. Use the packet's destination address (outer IP header),
IPsec protocol, and SPI to look up the SA in the SAD.
. . .
2. Use the SA found in (1) to do the IPsec processing, e.g.,
authenticate and decrypt. This step includes matching the
packet's (Inner Header if tunneled) selectors to the
selectors in the SA.
. . .
Do (1) and (2) for every IPsec header until a Transport
Protocol Header or an IP header that is NOT for this
system is encountered.
. . .
3. Find an incoming policy in the SPD that matches the
packet. This could be done, for example, by use of
backpointers from the SAs to the SPD or by matching the
packet's selectors (Inner Header if tunneled) against
those of the policy entries in the SPD.
4. Check whether the required IPsec processing has been
applied, i.e., verify that the SA's found in (1) and (2)
match the kind and order of SAs required by the policy
found in (3).
NOTE: The correct "matching" policy will not necessarily
be the first inbound policy found. If the check in (4)
fails, steps (3) and (4) are repeated until all policy
entries have been checked or until the check succeeds. "
Question: How can the first inbound policy found not be
-------- the correct policy, except when security
gateways are inconsistently configured ?
Thanks, Fergus
-- Tel. : (408) 328-5445 E-mail: fletcher@cylink.com
-- Fax. : (408) 735-6645
-- Cylink Corporation,
-- 910 Hermosa Court , Sunnyvale, CA 94086
Follow-Ups: