Re: inbound Spd lookup for IPsec packets.

["Amal Maalouf" <amalmaal@nortelnetworks.com>]

Stephen Kent wrote:
> 
> Amal,
> 
> If we fail to check the inbound packet header against the selectors after
> IPsec processing, then anyone who is authorized to connect to an IPsec site
> can masquerade as any other connected user, and they can send traffic not
> authorized by the negotiation carried out by IKE.  This can happen for both
> transport and tunel mode SAs, although it it potentially more serious for
> the latter as there are more opportunities to devite from the SA profile.
> 
> Steve

Steve,

What I am wondering about is not whether to check the selectors against
the inbound traffic or not.  For ipsec inbound processing, the architecture
mentions that the SA (once located in the inbound SAD using the spi,prot,addr)
is applied to the packet (decrypt/verify), then the packet is 1) matched against
the SA selectors, and then 2) matched against the inbound Spd.

What I was wondering about, is if we've done the check of the inbound
traffic against the SA selectors (1) and that passed, what is the check
against the inbound Spd (2) going to further guard us against?

Amal.

---

Follow-Ups:

• Re: inbound Spd lookup for IPsec packets.
• From: Stephen Kent <kent@bbn.com>

References:

• Re: inbound Spd lookup for IPsec packets.
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: about Selecter Parameter
• Next by Date: Re: inbound Spd lookup for IPsec packets.
• Prev by thread: Re: inbound Spd lookup for IPsec packets.
• Next by thread: Re: inbound Spd lookup for IPsec packets.
• Index(es):
  • Main
  • Thread