[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking incoming traffic against SPD

To: <agriggs@east.isi.edu>, rohit@mihy.mot.com
Subject: Re: Checking incoming traffic against SPD
From: fletcher@cylink.com (Fergus Fletcher)
Date: Thu, 22 Jul 1999 09:27:59 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <005a01bed442$4bc27dc0$634cf526@east.isi.edu>
References: <3.0.5.32.19990721180703.0104c8c0@10.1.10.20>
Sender: owner-ipsec@lists.tislabs.com

At 09:01 AM 7/22/99 -0400, you wrote:
>>  3. Find an incoming policy in the SPD that matches the
>>     packet.  This could be done, for example, by use of
>>     backpointers from the SAs to the SPD or by matching the
>>     packet's selectors (Inner Header if tunneled) against
>>     those of the policy entries in the SPD.
>>
>>  4. Check whether the required IPsec processing has been
>>     applied, i.e., verify that the SA's found in (1) and (2)
>>     match the kind and order of SAs required by the policy
>>     found in (3).
>>
>>     NOTE: The correct "matching" policy will not necessarily
>>           be the first inbound policy found.  If the check in (4)
>>           fails, steps (3) and (4) are repeated until all policy
>>           entries have been checked or until the check succeeds.   "
>>
>>
>> Question:  How can the first inbound policy found not be
>> --------   the correct policy, except when security
>>            gateways are inconsistently configured ?
>>
>>
>
>This can occur because the inbound security policies (SP) are not required
>to be in order.  So if you do the inbound verification by matching the
>selectors to the inbound SP list, you could hit a policy that matches but
>the SA does not.  You must keep checking to find the correct SP.  An
>alternative is to use the SA found during the inbound packet processing and
>do a check of the SP (if the SA has a back pointer to the SP).  However in
>the case of bypass or drop, no SA is found and you still need to search the
>inbound SPs.
>
>A previous email mentioned this occurs due to the sharing of SAs.  Can you
>even share SAs since they are really instantiations of the SP entry (many
>SAs to one SP)?
>
>Aaron
>
>

Aaron, Rohit:

I understood that Inbound SPD entries are ordered. I guess 
another way of formulating the question would be as follows:

Assume the following configuration:

           SA-1
     +----------------+
   SGW1             SGW2
     +----------------+    
           SA-2

 * SA-1 matches TCP traffic on port 300
 * SA-2 matches all TCP traffic

SGW1 Inbound SPD:       SGW2 Outbound SPD:
1. SA-1                 1. SA-2
2. SA-2                 2. SA-1

Both SGWs have the same SPD definitions, except that 
the order of the SAs are reversed.

Assume SGW2 tunnels a packet (TCP,port=300) to SGW-1
using SA-2 (per its SPD). At SGW1 the packet will:

 (1) match the selectors of the SA in which it was sent
 (2) match an entry in the SPD

however it was sent on the wrong SA.
Should SGW1 accept it ?


-- Tel. : (408) 328-5445   E-mail: fletcher@cylink.com
-- Fax. : (408) 735-6645      
-- Cylink Corporation,           
-- 910 Hermosa Court ,     Sunnyvale, CA 94086

Follow-Ups:

Re: Checking incoming traffic against SPD

From: Stephen Kent <kent@bbn.com>

Re: Checking incoming traffic against SPD

From: "Aaron Griggs" <agriggs@east.isi.edu>

Re: Checking incoming traffic against SPD

From: Dan Harkins <dharkins@network-alchemy.com>

References:

Checking incoming traffic against SPD

From: fletcher@cylink.com (Fergus Fletcher)

Re: Checking incoming traffic against SPD

From: "Aaron Griggs" <agriggs@east.isi.edu>

Prev by Date: RE: Comment on xauth and hybrid
Next by Date: Re: Checking incoming traffic against SPD
Prev by thread: Re: Checking incoming traffic against SPD
Next by thread: Re: Checking incoming traffic against SPD
Index(es):
- Main
- Thread