[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Some queries regarding IP security
> Secondly, this is regarding IPsec inbound packet processing. During
> inbound packet processing, the receiver first matches the packet to its
> corresponding SAs, does IPsec processing, after this it refers to the SPD
> to verify whether the ordering of the SAs, the SAs itself that were applied,
> were correct. If the ordering does not match the packet is rejected. My
> question is, what is the purpose for the last step. Once the
> packet has matched the SAs and has undergone IPsec processing
> successfully what is need to again check from the SPD whether the
> policy applied is correct.
assume you're a security gateway, and have tunnels to two different
peers, A and B.
If you don't do the SPD check after decapsulating/decrypting the
packet, it is trivial for peer B to impersonate peer A and vice
versa.
- Bi
References: