RFC 2401 section 5.2.1

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

In the inbound processing section 5.2.1 the RFC 2401 (IPsec architecture)
specifies:
           1. Use the packet's destination address (outer IP header),
              IPsec protocol, and SPI to look up the SA in the SAD.  If
              the SA lookup fails, drop the packet and log/report the
              error.

           2. Use the SA found in (1) to do the IPsec processing, e.g.,
              authenticate and decrypt.  This step includes matching the
              packet's (Inner Header if tunneled) selectors to the
              selectors in the SA.  Local policy determines the
              specificity of the SA selectors (single value, list,
              range, wildcard).  In general, a packet's source address
              MUST match the SA selector value.
              ...
              Do (1) and (2) for every IPsec header until a Transport
              Protocol Header or an IP header that is NOT for this
              system is encountered.  Keep track of what SAs have been
              used and their order of application.

How this was intepreted in current implementations:
 - is the packet's the source address checked in transport mode?
 - is the packet's outer source address checked in destination mode?
 - when are the checks done (before, ie. at the end of the lookup
   routine, after, ie. after the processing of all IPsec headers)?
If you know it, what is the rationale?

Regards

Francis.Dupont@enst-bretagne.fr

PS: with the exception of KAME (no check), all open source implementations
I have seen are a bit paranoic, ie. they check all source addresses
as soon as possible.

---

Follow-Ups:

• RE: RFC 2401 section 5.2.1
• From: "Joseph D. Harwood" <jharwood@vesta-corp.com>

---

• Prev by Date: default lifetime
• Next by Date: RE: RFC 2401 section 5.2.1
• Prev by thread: default lifetime
• Next by thread: RE: RFC 2401 section 5.2.1
• Index(es):
  • Main
  • Thread