[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inbound vs outbound?



At 10:02 AM +0430 7/3/01, mahdavi wrote:
>Hi.
>Its Strange. I did not saw this matter that you said in RFC2401. there is no
>reason to look at SPD twice.
>
>do you think that we have two SPD for an ipsec system ? ( one for outbound
>and one for inbound !! ). but we just have one SPD per IPSEC system.

2401 describes the SPD in terms of inbound and outbound traffic on a 
per interface basis.  one can have one SPD IF it tags entries on a 
per-interface basis and based on directionality, but that becomes 
equivalent to per-interface, per-direction  SPDs.

>
>Also I choosed native implementation s why I have to process one packet
>twice ? I have one Ipsec system for all interfaces with just one SPD.

one need not lookup a packet in the SPD twice. An IPsec-protected 
packet arriving from the Internet and directed to a system behind an 
SG is lookup up once in the SAD, to map it to an SA, and the 
processed packet is then lookup up in the SPD to ensure that it is 
consistent with the SA via which it was received.

Steve


Follow-Ups: References: