[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On transport-level policy enforcement (was Re: RFC 2401...)
>In Solaris, the SPD rule is cached in the "IP client" state, which
>corresponds to an open socket or TLI/XTI descriptor. In BSD, this is in the
>inpcb state, or perhaps socket state. (Any KAME folks want to clue me in on
>the current practice?) When you change the global SPD, you must update the
i believe the above ("inpcb for BSD") is correct.
with KAME implementation there are 3 places where you can define policy.
- per host policy: regardless of packet content, some policy is
enforced (like "this host will accept encrypted packet only").
- packet filter policy: packet filter will match outgoing/incoming
packet and enforce certain policy. like "ESP is required for
inbound traffic from 10.0.0.0/8".
actually, per host policy can be implemented by a policy entry with
filter "0.0.0.0/0". i don't remember why it is not done yet.
- per socket policy: with setsockopt(2) we can attach policy to pcb
(inpcb). like "for SMTP connection over this socket, I ask people
to use ESP".
because of some complexity (*) we have in our code, we do not cache
packet filter policy into inpcb. it definitely makes sense to cache it.
BTW, the cache-in-pcb way does not work well if the BSD box is used
as a router:-)
(*) for example, we have some interaction between user privilege and
per socket policy. root can override per-host policy by per socket
policy. non-root cannot.
also, if we cache policy, inpcb management will get more complex - need
to make sure we do not have dangling pointer from inpcb to policy entry.
itojun
Follow-Ups:
References: