[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some queries regarding IP security



> Secondly, this is regarding IPsec inbound packet processing. During
> inbound packet processing, the receiver first matches the packet to its
> corresponding SAs, does IPsec processing, after this it refers to the SPD
> to verify whether the ordering of the SAs, the SAs itself that were applied,
> were correct. If the ordering does not match the packet is rejected. My
> question is, what is the purpose for the last step. Once the
> packet has matched the SAs and has undergone IPsec processing
> successfully what is need to again check from the SPD whether the
> policy applied is correct. 

assume you're a security gateway, and have tunnels to two different
peers, A and B.

If you don't do the SPD check after decapsulating/decrypting the
packet, it is trivial for peer B to impersonate peer A and vice
versa.  

						- Bi


References: