[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: inbound vs outbound?



If I am not mistaken, you still need to look at the SPD on inbound 
packet reception to make sure that the packets that needed to get 
security treatment did in fact get the correct security treatment. 
The statement that you make below works perfectly fine when things
are working OK,
but does not detect the packets that should have been tunneled to the
router and that did not.

BTW, you may want to think about the overall architecture of this
"router" that you are building. In routers you need to do RFC1812 
checks that require you to know and **remember** the interface that the
packet came in on. In fast (read OC48+ speeds) routers that employ a 
distributed switching architecture, these checks are usually done at
ingress.


Regards

Bora

|-----Original Message-----
|From: mahdavi [mailto:mahdavi@sepahan.iut.ac.ir]
|Sent: Tuesday, July 03, 2001 3:23 AM
|To: ipsec
|Subject: Re: inbound vs outbound?
|
|
|Hi.
|You R right.
|But pay attention to this fact that RFC is for all Implmentations.
|Now just verify this pharase ( if it is correct, and if it is 
|not tell me
|Y ).
|
|"IF a regular packet received by our router and it was not 
|tunneld to this
|router it is enough to apply just outbound process. "
|
|If above sentence is not correct let me know. (think about a security
|gateway --in arouter)
|
|sincerely yours
|
|mahdavi
|
|>
|> In RFC2401's terminology,
|> an "inbound" packet means a packet received on an interface,
|> an "outbound" packet means a packet sent on an interface.
|>
|> I think you shouldn't use the terms "inbound" and "outbound" 
|if you wish
|> to express another concept.
|>
|> RFC2401, paragraph 4.4, states that "The SPD must be consulted during
|> the processing of all traffic (INBOUND and OUTBOUND), including
|> non-IPsec traffic." and also "Thus the administrative interface must
|> allow the user (or system administrator) to specify the security
|> processing to be applied to any packet entering or exiting 
|the system,
|> on a packet by packet basis."
|>
|> It results that the SPD is consulted twice for forwarded packets.
|>
|>
|> There are not necessarily two physically separate SPDs, but 
|if you only
|> have one SPD, you should add the "direction 
|(inbound/outbound)" info in
|> each entry.
|>
|
|
|
|
|