[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On transport-level policy enforcement (was Re: RFC 2401...)
> => I know answers to my questions for NRL, what are they for Solaris:
> - is the packet's the source address checked in transport mode?
It's part of the SA lookup.
> - is the packet's outer source address checked in destination mode?
Just like the transport mode stuff again.
> - when are the checks done (before, ie. at the end of the lookup
> routine, after, ie. after the processing of all IPsec headers)?
> (NRL code: yes, yes and as soon as possible, ie. the (possibly outer) source
> address is checked in the SA lookup routine).
And you wonder where I got the idea from... ;)
> If the policy is not per-socket then it is recomputed for each packet.
Expensive... but it's often necessary. (Consider the UDP server app that's
bound to only a port and does nothing but recvfrom()s and sendto()s.)
Dan
References: