[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Incoming SPD check on packet with no IPsec header?
Yes, you have to.
Let's say for A-B , discard on one end (Sg1). And if the other end has
a policy , A-b bypass.
Then with out checking the polciy on SG1, you will accept that which
is not correct.
-ramana
At 02:26 PM 8/21/01 -0400, Cambria, Mike wrote:
>In section 5.2.1 of RFC2401, should step #3 be performed (i.e. find incoming
>policy in the SPD that matches the packet) even if the packet arrives with
>no IPsec headers (e.g. nothing to do in steps 1 & 2)?
>
>The beginning of section 5 (and 4.4.1) says that the SPD must be consulted
>during the processing of all traffic. However, since 5.2.1 doesn't mention
>to do this, I wanted to check.
>
>Thanks,
>MikeC
References: