[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On transport-level policy enforcement (was Re: RFC 2401...)



> => I know answers to my questions for NRL, what are they for Solaris:
>  - is the packet's the source address checked in transport mode?

It's part of the SA lookup.

>  - is the packet's outer source address checked in destination mode?

Just like the transport mode stuff again.

>  - when are the checks done (before, ie. at the end of the lookup
>    routine, after, ie. after the processing of all IPsec headers)?
> (NRL code: yes, yes and as soon as possible, ie. the (possibly outer) source
> address is checked in the SA lookup routine).

And you wonder where I got the idea from... ;)

> If the policy is not per-socket then it is recomputed for each packet.

Expensive... but it's often necessary.  (Consider the UDP server app that's
bound to only a port and does nothing but recvfrom()s and sendto()s.)

Dan


References: