[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On transport-level policy enforcement (was Re: RFC 2401...)
In your previous mail you wrote:
I've been watching the transport vs. tunnel debate silently. For the record,
I'm in (almost?) full agreement with Joe Touch that "tunnel mode" can be
better implemented (and should be treated) as a special case of transport
mode. I'll now try and explain how I arrived here through experiences of two
(NRL and Solaris) IPsec implementations.
=> I know answers to my questions for NRL, what are they for Solaris:
- is the packet's the source address checked in transport mode?
- is the packet's outer source address checked in destination mode?
- when are the checks done (before, ie. at the end of the lookup
routine, after, ie. after the processing of all IPsec headers)?
(NRL code: yes, yes and as soon as possible, ie. the (possibly outer) source
address is checked in the SA lookup routine).
In Solaris, the SPD rule is cached in the "IP client" state, which
corresponds to an open socket or TLI/XTI descriptor. In BSD, this is in the
inpcb state, or perhaps socket state. (Any KAME folks want to clue me in on
the current practice?)
=> KAME caches inbound and outbound SPD entries in the PCB (inpcb) with
a flag for priviledged (ie. owned by root) sockets. Very standard...
If the policy is not per-socket then it is recomputed for each packet.
Thanks
Francis.Dupont@enst-bretagne.fr
Follow-Ups:
References: