[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inbound vs outbound?



Hi. 
thanks for your interest.
> No, it is not enough.  If IPsec is enabled on the inbound interface,
> then you MUST check the inbound packet against the SPD for that
> interface before relaying it.  It does not matter _how_ the packet
> arrived; all that matters is that it arrived on a 'protected'
> interface.
> 
> Ignore tunnels completely; they don't matter in this situation.
> 
> -derek
> 

forget about interfaces. 

I am implementing Ipsec as native in heart of a router.
My Ipsec has not any contact to any interface. It dont knows anything about
Interface for a certain packet. It dont knows which interface this packet
came from.
Inbound SPD and outbound SPD is same in my design. no differ between them.


----------------\
                |     ______________
------------    |    /
           |    |    |
        ___|____|____|____
       /                  \
       |                __________
       |   ROUTER      /          \
-------|               |          |
       |               |  IPSEC   |
       |               |          |
       |               |  system  |
-------|               |          |
       |               |          |
       |               |          |
       |               \__________/
       |                  |
       \__________________/
          |    |    |
          |    |    |
----------/    |    |
               |    \________
               |

look at above figure.

there is many interfaces but there is no relation between interface and
IPsec.

router work in this manner that gives every packet that is comming on any
interface to IPsec.
IPsec system will act on it then it generates new packet and gives it back
to the router.
then router will continue his work.

in this manner are still say that below sentence is wrong ?

"every packet is outbound else it destined to my machine in tunnel mode.
after inbound process on such a packet I have to process it as outbound"

by now I think that above sentence is right.

let me know your opinion.

many thanks before

sincerely yours
mahdavi.





Follow-Ups: References: