Re: Checking incoming traffic against SPD

["Aaron Griggs" <agriggs@east.isi.edu>]

Hi Fergus,

> I understood that Inbound SPD entries are ordered. I guess
> another way of formulating the question would be as follows:
>

I think it should be and my implementation does require it to be ordered.
Maybe later, I'll do a sorting algorithm to order them for the user.  Also,
most policies are bidirectional so if the outbound is ordered then inbound
is ordered.

> Assume the following configuration:
>
>            SA-1
>      +----------------+
>    SGW1             SGW2
>      +----------------+
>            SA-2
>
>  * SA-1 matches TCP traffic on port 300
>  * SA-2 matches all TCP traffic
>
> SGW1 Inbound SPD:       SGW2 Outbound SPD:
> 1. SA-1                 1. SA-2
> 2. SA-2                 2. SA-1
>
> Both SGWs have the same SPD definitions, except that
> the order of the SAs are reversed.
>
> Assume SGW2 tunnels a packet (TCP,port=300) to SGW-1
> using SA-2 (per its SPD). At SGW1 the packet will:
>
>  (1) match the selectors of the SA in which it was sent
>  (2) match an entry in the SPD
>
> however it was sent on the wrong SA.
> Should SGW1 accept it ?
>

I'd say no that SGW1 should drop the traffic.  Maybe TCP port 300 needs to
be more secure so letting traffic in with a different SA is bad.  This case
is one of the security gateways being "misconfigured."  The best way to
prevent it from working is to deny the traffic.

Aaron

---

References:

• Checking incoming traffic against SPD
• From: fletcher@cylink.com (Fergus Fletcher)
• Re: Checking incoming traffic against SPD
• From: fletcher@cylink.com (Fergus Fletcher)

---

• Prev by Date: Re: XAUTH is broken
• Next by Date: Re: Checking incoming traffic against SPD
• Prev by thread: Re: Checking incoming traffic against SPD
• Next by thread: Re: Checking incoming traffic against SPD
• Index(es):
  • Main
  • Thread