[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Checking incoming traffic against SPD
Hi Fergus,
> I understood that Inbound SPD entries are ordered. I guess
> another way of formulating the question would be as follows:
>
I think it should be and my implementation does require it to be ordered.
Maybe later, I'll do a sorting algorithm to order them for the user. Also,
most policies are bidirectional so if the outbound is ordered then inbound
is ordered.
> Assume the following configuration:
>
> SA-1
> +----------------+
> SGW1 SGW2
> +----------------+
> SA-2
>
> * SA-1 matches TCP traffic on port 300
> * SA-2 matches all TCP traffic
>
> SGW1 Inbound SPD: SGW2 Outbound SPD:
> 1. SA-1 1. SA-2
> 2. SA-2 2. SA-1
>
> Both SGWs have the same SPD definitions, except that
> the order of the SAs are reversed.
>
> Assume SGW2 tunnels a packet (TCP,port=300) to SGW-1
> using SA-2 (per its SPD). At SGW1 the packet will:
>
> (1) match the selectors of the SA in which it was sent
> (2) match an entry in the SPD
>
> however it was sent on the wrong SA.
> Should SGW1 accept it ?
>
I'd say no that SGW1 should drop the traffic. Maybe TCP port 300 needs to
be more secure so letting traffic in with a different SA is bad. This case
is one of the security gateways being "misconfigured." The best way to
prevent it from working is to deny the traffic.
Aaron
References: