[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: inbound vs outbound?
At 3:43 AM +0430 7/4/01, mahdavi wrote:
>Hi.
>many thanks for your comments.
>but
>
>
>>
>> 2401 describes the SPD in terms of inbound and outbound traffic on a
>> per interface basis. one can have one SPD IF it tags entries on a
>> per-interface basis and based on directionality, but that becomes
>> equivalent to per-interface, per-direction SPDs.
>>
>> >
>> >Also I choosed native implementation s why I have to process one packet
>> >twice ? I have one Ipsec system for all interfaces with just one SPD.
>>
>> one need not lookup a packet in the SPD twice. An IPsec-protected
>> packet arriving from the Internet and directed to a system behind an
>> SG is lookup up once in the SAD, to map it to an SA, and the
>> processed packet is then lookup up in the SPD to ensure that it is
>> consistent with the SA via which it was received.
>>
>> Steve
>
>I am implementing Ipsec as native in heart of a router.
>My Ipsec has not any contact to any interface. It dont knows anything about
>Interface for a certain packet. It dont knows which interface this packet
>came from.
>Inbound SPD and outbound SPD is same in my design. no differ between them.
>
Then you will have a non-compliant implementation, since it will be
unable to apply different policies on a per-interface level.
Steve
P.S. BTW, it's September, month 9, not July, month 7. Please reset
your system clock.
Follow-Ups:
References: