[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Help - IPSEC beginner
hi,
thank you very much for your response. to summarise, i've got replies that
clearly indicate that my work for 2 and a half months is a bit more... As a
matter of fact, i'll have a masters degree in that time, but, i propose
continuing the work even after that. responses also mentioned about looking at
the OPENBSD, FreeS/WAN and KAME's code. i've been doing quite a lot of code
study there too. they give in such interesting details, that i can never afford
to miss.
i've got a doubt - as we know, SAD is a dynamic entity, and entries are
created in SAD on the fly - whenever there is a policy in the SPD that suggests
use of an non-existant SA. my doubt is, how does the SPD mention that a
particular SA be used for Outbound processing when that SA does not exist? or,
does it just mention that "use an SA that has this particular characteristic -
algos, etc" - the IPSec code looks in the dynamically created SAD for an
SA having that characteristic, and, if not present, creates it? if this is the
case, SPI for the SA is dynamically generated?
according to the OPENBSD, security associations are created initially using
the utility ipsecadm. This, i guess should go into the kernel data structures,
and, are consulted everytime an incoming packet arrives (initially). when a
packet arrives, and an SA exists (that match the packet's IPSec header's Dst
Addr, Proto and SPI fields), the packet is IPSec processed. if not, it is
dropped (RFC 2401). however, as the host (or the gateway) generates more
packets, these outbound packets may trigger creation of more SAs that add to the
existing set of SAs.
in brief:
1. How will SPD mention the set of SAs to be used for outbound processing?
2. Am i right in assuming that we need to create an initial set of SAs?
thanks again for the previous responses (Sandy Harris, itojun, Jerome Freedman
Jr.)
regards,
arvind.
References: