[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Incoming SPD check on packet with no IPsec header?

To: "Cambria, Mike" <mcambria@avaya.com>
Subject: Re: Incoming SPD check on packet with no IPsec header?
From: Derek Atkins <warlord@mit.edu>
Date: 21 Aug 2001 14:40:24 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: "Cambria, Mike"'s message of "Tue, 21 Aug 2001 14:26:22 -0400"
References: <3A6D367EA1EFD4118C9B00A0C9DD99D706502D@rerun.lucentctc.com>
Sender: owner-ipsec@lists.tislabs.com

If IPsec is enabled on the interface, then yes, all incoming packets
should get checked against the SPD.  Otherwise you might let an
unprotected packet through what should be a protected interface.

Consider an example where you have a UDP protocol being protected by
IPsec; what would happen if you let a non-protected UDP packet in?

-derek

"Cambria, Mike" <mcambria@avaya.com> writes:

> In section 5.2.1 of RFC2401, should step #3 be performed (i.e. find incoming
> policy in the SPD that matches the packet) even if the packet arrives with
> no IPsec headers (e.g. nothing to do in steps 1 & 2)?
> 
> The beginning of section 5 (and 4.4.1) says that the SPD must be consulted
> during the processing of all traffic.  However, since 5.2.1 doesn't mention
> to do this, I wanted to check.
> 
> Thanks,
> MikeC
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

Incoming SPD check on packet with no IPsec header?

From: "Cambria, Mike" <mcambria@avaya.com>

Prev by Date: Re: SPD per interface?
Next by Date: Re: Incoming SPD check on packet with no IPsec header?
Prev by thread: Incoming SPD check on packet with no IPsec header?
Next by thread: Re: Incoming SPD check on packet with no IPsec header?
Index(es):
- Main
- Thread