[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking incoming traffic against SPD

To: fletcher@cylink.com (Fergus Fletcher)
Subject: Re: Checking incoming traffic against SPD
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Thu, 22 Jul 1999 10:53:27 -0700
cc: agriggs@east.isi.edu, rohit@mihy.mot.com, ipsec@lists.tislabs.com
In-reply-to: Your message of "Thu, 22 Jul 1999 09:27:59 CDT." <3.0.5.32.19990722092759.0102fb00@10.1.10.20>
Sender: owner-ipsec@lists.tislabs.com

  In a case like this I think it's prudent to follow the example of
routing and take the longest match regardless of the "ordering" of
the SAs. 

  Dan.

On Thu, 22 Jul 1999 09:27:59 CDT you wrote
>
> I understood that Inbound SPD entries are ordered. I guess 
> another way of formulating the question would be as follows:
> 
> Assume the following configuration:
> 
>            SA-1
>      +----------------+
>    SGW1             SGW2
>      +----------------+    
>            SA-2
> 
>  * SA-1 matches TCP traffic on port 300
>  * SA-2 matches all TCP traffic
> 
> SGW1 Inbound SPD:       SGW2 Outbound SPD:
> 1. SA-1                 1. SA-2
> 2. SA-2                 2. SA-1
> 
> Both SGWs have the same SPD definitions, except that 
> the order of the SAs are reversed.
> 
> Assume SGW2 tunnels a packet (TCP,port=300) to SGW-1
> using SA-2 (per its SPD). At SGW1 the packet will:
> 
>  (1) match the selectors of the SA in which it was sent
>  (2) match an entry in the SPD
> 
> however it was sent on the wrong SA.
> Should SGW1 accept it ?

References:

Re: Checking incoming traffic against SPD

From: fletcher@cylink.com (Fergus Fletcher)

Prev by Date: Re: Checking incoming traffic against SPD
Next by Date: RE: Comment on xauth and hybrid
Prev by thread: Re: Checking incoming traffic against SPD
Next by thread: Re: Checking incoming traffic against SPD
Index(es):
- Main
- Thread