[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inbound vs outbound?

To: mahdavi@sepahan.iut.ac.ir
Subject: Re: inbound vs outbound?
From: Derek Atkins <warlord@mit.edu>
Date: 04 Sep 2001 08:56:11 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: mahdavi@sepahan.iut.ac.ir's message of "Tue, 4 Sep 2001 05:31:13 GMT"
References: <200109041036.f84AaEQ10637@sepahan.iut.ac.ir>
Sender: owner-ipsec@lists.tislabs.com

No, it is not enough.  If IPsec is enabled on the inbound interface,
then you MUST check the inbound packet against the SPD for that
interface before relaying it.  It does not matter _how_ the packet
arrived; all that matters is that it arrived on a 'protected'
interface.

Ignore tunnels completely; they don't matter in this situation.

-derek

mahdavi@sepahan.iut.ac.ir writes:

> Hi.
> You R right.
> But pay attention to this fact that RFC is for all Implmentations.
> Now just verify this pharase ( if it is correct, and if it is not tell me
> Y ).
> 
> "IF a regular packet received by our router and it was not tunneld to this
> router it is enough to apply just outbound process. "
> 
> If above sentence is not correct let me know. (think about a security
> gateway --in arouter)
> 
> sincerely yours
> 
> mahdavi
> 
> >
> > In RFC2401's terminology,
> > an "inbound" packet means a packet received on an interface,
> > an "outbound" packet means a packet sent on an interface.
> >
> > I think you shouldn't use the terms "inbound" and "outbound" if you wish
> > to express another concept.
> >
> > RFC2401, paragraph 4.4, states that "The SPD must be consulted during
> > the processing of all traffic (INBOUND and OUTBOUND), including
> > non-IPsec traffic." and also "Thus the administrative interface must
> > allow the user (or system administrator) to specify the security
> > processing to be applied to any packet entering or exiting the system,
> > on a packet by packet basis."
> >
> > It results that the SPD is consulted twice for forwarded packets.
> >
> >
> > There are not necessarily two physically separate SPDs, but if you only
> > have one SPD, you should add the "direction (inbound/outbound)" info in
> > each entry.
> >
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: inbound vs outbound?

From: "mahdavi" <mahdavi@sepahan.iut.ac.ir>

References:

Re: inbound vs outbound?

From: mahdavi@sepahan.iut.ac.ir

Prev by Date: Re: inbound vs outbound?
Next by Date: Re: inbound vs outbound?
Prev by thread: Re: inbound vs outbound?
Next by thread: Re: inbound vs outbound?
Index(es):
- Main
- Thread