[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: inbound vs outbound?
Hi.
many thanks for your comments.
but
>
> 2401 describes the SPD in terms of inbound and outbound traffic on a
> per interface basis. one can have one SPD IF it tags entries on a
> per-interface basis and based on directionality, but that becomes
> equivalent to per-interface, per-direction SPDs.
>
> >
> >Also I choosed native implementation s why I have to process one packet
> >twice ? I have one Ipsec system for all interfaces with just one SPD.
>
> one need not lookup a packet in the SPD twice. An IPsec-protected
> packet arriving from the Internet and directed to a system behind an
> SG is lookup up once in the SAD, to map it to an SA, and the
> processed packet is then lookup up in the SPD to ensure that it is
> consistent with the SA via which it was received.
>
> Steve
I am implementing Ipsec as native in heart of a router.
My Ipsec has not any contact to any interface. It dont knows anything about
Interface for a certain packet. It dont knows which interface this packet
came from.
Inbound SPD and outbound SPD is same in my design. no differ between them.
----------------\
| ______________
------------ | /
| | |
___|____|____|____
/ \
| __________
| ROUTER / \
-------| | |
| | IPSEC |
| | |
| | system |
-------| | |
| | |
| | |
| \__________/
| |
\__________________/
| | |
| | |
----------/ | |
| \________
|
look at above figure.
there is many interfaces but there is no relation between interface and
IPsec.
router work in this manner that gives every packet that is comming on any
interface to IPsec.
IPsec system will act on it then it generates new packet and gives it back
to the router.
then router will continue his work.
right now let me now what is wrong with this sentence in such situation.
"every packet is outbound else it destined to my machine in tunnel mode.
after inbound process on such a packet I have to process it as outbound"
best wishes
mahdavi.
Follow-Ups:
References: