[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking incoming traffic against SPD

To: fletcher@cylink.com (Fergus Fletcher)
Subject: Re: Checking incoming traffic against SPD
From: Rohit Aradhya <rohit@mihy.mot.com>
Date: Thu, 22 Jul 1999 10:30:26
Cc: ipsec@lists.tislabs.com
In-Reply-To: <3.0.5.32.19990721180703.0104c8c0@10.1.10.20>
Sender: owner-ipsec@lists.tislabs.com

Hi Fergus,
This problem arises only when you are sharing an SA with diffrent SPD
Entries, resulting in a SA having backlinks to more than one SPD entries..
In this scenerio there is a possibility of mismatch in "kind and order" of
SAs of Inbound Policy. 

-Regards
 Rohit

At 06:07 PM 7/21/99 -0500, you wrote:
>I have a question concerning inbound IPsec processing.
>
>RFC-2401 describes how incoming traffic should be handled,
>(section 5.2 Processing Inbound IP Traffic):
>
>"1. Use the packet's destination address (outer IP header),
>    IPsec protocol, and SPI to look up the SA in the SAD. 
>    . . .
>
> 2. Use the SA found in (1) to do the IPsec processing, e.g.,
>    authenticate and decrypt. This step includes matching the
>    packet's (Inner Header if tunneled) selectors to the
>    selectors in the SA. 
>    . . .
>    Do (1) and (2) for every IPsec header until a Transport
>    Protocol Header or an IP header that is NOT for this
>    system is encountered. 
>    . . .
> 3. Find an incoming policy in the SPD that matches the
>    packet.  This could be done, for example, by use of
>    backpointers from the SAs to the SPD or by matching the
>    packet's selectors (Inner Header if tunneled) against
>    those of the policy entries in the SPD.
>
> 4. Check whether the required IPsec processing has been
>    applied, i.e., verify that the SA's found in (1) and (2)
>    match the kind and order of SAs required by the policy
>    found in (3).
>
>    NOTE: The correct "matching" policy will not necessarily
>          be the first inbound policy found.  If the check in (4)
>          fails, steps (3) and (4) are repeated until all policy
>          entries have been checked or until the check succeeds.   "
>
>
>Question:  How can the first inbound policy found not be
>--------   the correct policy, except when security
>           gateways are inconsistently configured ?
>
>
>Thanks,  Fergus
>
>
>
>-- Tel. : (408) 328-5445   E-mail: fletcher@cylink.com
>-- Fax. : (408) 735-6645      
>-- Cylink Corporation,           
>-- 910 Hermosa Court ,     Sunnyvale, CA 94086
>

References:

Checking incoming traffic against SPD

From: fletcher@cylink.com (Fergus Fletcher)

Prev by Date: Re: Checking incoming traffic against SPD
Next by Date: RE: Comment on xauth and hybrid
Prev by thread: Re: Checking incoming traffic against SPD
Next by thread: XAUTH is broken
Index(es):
- Main
- Thread