Re: inbound Spd lookup for IPsec packets.

[Stephen Kent <kent@bbn.com>]

Amal,

>What I am wondering about is not whether to check the selectors against
>the inbound traffic or not.  For ipsec inbound processing, the architecture
>mentions that the SA (once located in the inbound SAD using the spi,prot,addr)
>is applied to the packet (decrypt/verify), then the packet is 1) matched
>against
>the SA selectors, and then 2) matched against the inbound Spd.
>
>What I was wondering about, is if we've done the check of the inbound
>traffic against the SA selectors (1) and that passed, what is the check
>against the inbound Spd (2) going to further guard us against?

Let me try again, with an example.  If all traffic between two hosts is
supposed to be protected by AH and by ESP (transport mode), then an
attacker could trsip off the AH, and modify parts of the IP header that
were covered by AH.  Since, in transport mode, this header info is passed
to the ULPs, this might result in unintended consequences, which is why the
traffic was protected with AH to begin with.  The fact that AH was stripped
from the packet by an attacker would not be detected by inbound IPsec
processing unless we check against the SPD, which would show that all
traffic was supposed to be protected by BOTH AH and ESP.

Steve

---

References:

• Re: inbound Spd lookup for IPsec packets.
• From: Stephen Kent <kent@bbn.com>
• Re: inbound Spd lookup for IPsec packets.
• From: "Amal Maalouf" <amalmaal@nortelnetworks.com>

---

• Prev by Date: Re: inbound Spd lookup for IPsec packets.
• Next by Date: I-D ACTION:draft-ietf-ipsec-isakmp-mode-cfg-05.txt
• Prev by thread: Re: inbound Spd lookup for IPsec packets.
• Next by thread: about Selecter Parameter
• Index(es):
  • Main
  • Thread