[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question regarding SPD and SA bundles...

To: ipsec@lists.tislabs.com
Subject: Question regarding SPD and SA bundles...
From: Arvind Devarajan <arvindd@hotvoice.com>
Date: Fri, 24 Nov 2000 02:55:41 -0800 (PST)
Sender: owner-ipsec@lists.tislabs.com

hi,
	i've not understood a phrase in RFC 2401, Section 5.1.1. In 
the outbound processing, the RFC says:

"Match the packet's selector fields against the outbound policies 
in the SPD to locate the first appropriate policy, whicc will 
point to zero or more SA bundles in the SAD"

As i have understood, an SPD is something like this:

<Policy 1> <One or more SA templates>
<Policy 2> <One or more SA templates>
.........
I've used the words "SA template" here because these templates 
become SAs in the SAD, and not in the SPD itself.

If a policy contains more than one SA template, we have an SA 
bundle that it points to.
Now, my question is this: As i see from above, a policy can 
either point to _one_ SA, or _one_ SA bundle (more than one 
SA). Where is the question of SPD entries matching "one or more 
SA Bundles"? 

I've myself got one possible answer - correct me if i am wrong: 
these SA bundles are nothing but SAs created from these templates 
for each connection that requires it? initially, we begin with 
one set of SA templates for a particular policy,  and, when 
a packet's selector matches this policy, it initiates creation 
of the SA bundle pointed by it. now, when another packet, for 
a different connection also matches this policy's selector, 
another SA bundle is created for this packet from the same set 
of SA templates. this effectively means that this SPD entry 
now points to two SA bundles... and the story goes on.

If my above answer is right, in a way, the SPD is not just a 
static Database - SA bundles keep on getting added to it as 
and when a new channel is to be created. please comment on this too.

thanks for your patience, and hoping for an answer soon...

regards,
arvind.










-------------------------------------------
Arvind Devarajan
< - >

Luck is defined as the time when HARD WORK meets OPPORTUNITY!


--------------------------------------------------------------------------
Global Internet phone calls, voicemail, fax, e-mail and instant messaging.
Sign-up today for FREE account at http://www.hotvoice.com

Prev by Date: Re: Hi
Next by Date: Re: RFC 2401 section 5.2.1
Prev by thread: IKE PRF
Next by thread: HI
Index(es):
- Main
- Thread