Help - IPSec Newbie

[Arvind Devarajan <arvind.sankruthi@oracle.com>]

hi,
	i have a small doubt. please help me.
	
As i understand from RFC 2401, SPD contains entries related to the 
polices to
be applied for packets going out/in of/from a particular host/gateway. 
Each
entry of the SPD also contains a list of SAs that any packet that applies 
that
policy will have to pass through.
For example, a Sample SPD might contain:

<Policy 1> Policy, List of SAs
<Policy 2> Policy, List of SAs

The "List of SAs" could also be a "Single" SA, depending upon the policy. 
The
<Policy> to be selected is based on the "selectors" and the packet 
parameters.
Now, my question is:

1.As I understand, SPD is a static database done initially, and all the 
SAs are created dynamically. This being the case, how will the "List of 
SAs" or a "Single SA" be specified in the policy entries of the SPD?

2.Just as the incoming packets help in identifying the SA through which 
they should be passed, using the tupple (SPI, Protocol and Dst Addr), 
does the SPD entries too have any such identifier for the SAs?

Please help. I am designing an entirely new implementation of IPSec, not 
based
on any existing ones. I am doing this as a part of my Masters project, 
and,
inter-operability, and performance are my main concerns. Soon, i'll be 
posting
my design for your valuable comments and feedback.

Thanking you,
Arvind.

---

Follow-Ups:

• RE: Help - IPSec Newbie
• From: "Markku Savela" <Markku.Savela@research.nokia.com>

---

• Prev by Date: Re: Out of Sync Security Policies - Design Flaw
• Next by Date: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• Prev by thread: Re: consistency in naming for elliptic curves...
• Next by thread: RE: Help - IPSec Newbie
• Index(es):
  • Main
  • Thread