[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking incoming traffic against SPD

To: "Aaron Griggs" <agriggs@east.isi.edu>, <ipsec@lists.tislabs.com>, "Fergus Fletcher" <fletcher@cylink.com>
Subject: Re: Checking incoming traffic against SPD
From: Rohit Aradhya <rohit@mihy.mot.com>
Date: Thu, 22 Jul 1999 19:16:52
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <005a01bed442$4bc27dc0$634cf526@east.isi.edu>
References: <3.0.5.32.19990721180703.0104c8c0@10.1.10.20>
Sender: owner-ipsec@lists.tislabs.com

Hi,
Sorry it seems i am not in sync with latest IPSec RFC, I think Sharing of
SAs was present in some earlier IPSec drafts.. later it was removed. If SAs
are instantiation of a single SPD entry then first matching Inbound Policy
will definetly have "the kind and order of SAs" required, *iff* you have
backpointer from SAs to the SPD entry.

-Regards
 Rohit


At 09:01 AM 7/22/99 -0400, Aaron Griggs wrote:
>>  3. Find an incoming policy in the SPD that matches the
>>     packet.  This could be done, for example, by use of
>>     backpointers from the SAs to the SPD or by matching the
>>     packet's selectors (Inner Header if tunneled) against
>>     those of the policy entries in the SPD.
>>
>>  4. Check whether the required IPsec processing has been
>>     applied, i.e., verify that the SA's found in (1) and (2)
>>     match the kind and order of SAs required by the policy
>>     found in (3).
>>
>>     NOTE: The correct "matching" policy will not necessarily
>>           be the first inbound policy found.  If the check in (4)
>>           fails, steps (3) and (4) are repeated until all policy
>>           entries have been checked or until the check succeeds.   "
>>
>>
>> Question:  How can the first inbound policy found not be
>> --------   the correct policy, except when security
>>            gateways are inconsistently configured ?
>>
>>
>
>This can occur because the inbound security policies (SP) are not required
>to be in order.  So if you do the inbound verification by matching the
>selectors to the inbound SP list, you could hit a policy that matches but
>the SA does not.  You must keep checking to find the correct SP.  An
>alternative is to use the SA found during the inbound packet processing and
>do a check of the SP (if the SA has a back pointer to the SP).  However in
>the case of bypass or drop, no SA is found and you still need to search the
>inbound SPs.
>
>A previous email mentioned this occurs due to the sharing of SAs.  Can you
>even share SAs since they are really instantiations of the SP entry (many
>SAs to one SP)?
>
>Aaron
>

References:

Checking incoming traffic against SPD

From: fletcher@cylink.com (Fergus Fletcher)

Re: Checking incoming traffic against SPD

From: "Aaron Griggs" <agriggs@east.isi.edu>

Prev by Date: Requirements driving xauth [was Re: Secret public keys, Re: comment on xauth and hybrid]
Next by Date: RE: XAUTH is broken
Prev by thread: Re: Checking incoming traffic against SPD
Next by thread: Re: Checking incoming traffic against SPD
Index(es):
- Main
- Thread