[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Some queries regarding IP security
>>>>> "Andrew" == Andrew Krywaniuk <akrywaniuk@TimeStep.com> writes:
Andrew> I think you guys are missing the point of Shamik was
Andrew> asking. Of course you have to check the SPD for every packet
Andrew> to verify the IPs, ports, etc., but he was asking
Andrew> specifically about verifying the order of SAs in a bundle.
Andrew> I.e. if you negotiate to do IPCOMP ESP AH and the other guy
Andrew> sends you a packet with ESP AH IPCOMP (not that this order
Andrew> makes any sense), should you drop the packet?
Yes, you should. Chances are you will not so much because of a policy
that says "accept only what you negotiated" but simply because the
implementation flat out refuses to accept weird transform orders like
that.
paul
References: