hi
i absolutely agree with whatever christophe has said in his mail
below except the point that u need to add an entry in ur spd for
direction. SPD means that no direction is required. It is the same for
inbound as well outbound.
Mahdavi, acc to the rfc 2401 u have to do spd lookup for every
inbound n outbound packet. The only optimization u can do is cache the spd
so that u don't have to go the database for every packet.
regards
puja
-------Original Message-------
From: Christophe Gouault
Date: Wednesday,
September 05, 2001 06:01:21 AM
To: mahdavi
Subject: Re: inbound vs
outbound? mahdavi wrote: > > Hi. > (as I mentioned ) > Its Strange. I did not saw this matter that you said in RFC2401. there is no > reason to look at SPD twice. In RFC2401's terminology, an "inbound" packet means a packet received on an interface, an "outbound" packet means a packet sent on an interface. I think you shouldn't use the terms "inbound" and "outbound" if you wish to express another concept. RFC2401, paragraph 4.4, states that "The SPD must be consulted during the processing of all traffic (INBOUND and OUTBOUND), including non-IPsec traffic." and also "Thus the administrative interface must allow the user (or system administrator) to specify the security processing to be applied to any packet entering or exiting the system, on a packet by packet basis." It results that the SPD is consulted twice for forwarded packets. > do you think that we have two SPD for an ipsec system ? ( one for outbound > and one for inbound !! ). but we just have one SPD per IPSEC system. There are not necessarily two physically separate SPDs, but if you only have one SPD, you should add the "direction (inbound/outbound)" info in each entry. > [...] > > mahdavi. |
|||
|