[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Does an outbound packet need to be reroute?
alexey.vyskubov@nok
ia.com (Alexey To: ipsec@lists.tislabs.com
Vyskubov) cc:
Sent by: Subject: Re: Does an outbound packet need to be reroute?
owner-ipsec@lists.t
islabs.com
10/02/01 06:19 AM
> Since there is a new IP header, a new route shall be
> needed. The route can be checked evrytime or cached
> with the first packet.
>
> The selectors for the new packet shall decide whether
> further IPsec processing is required or not. It may be
> possible to still go for IPsec processing, if let us say
> we have the case of nested tunnels.
As far as I understand RFC 2401 says that only one SP should be applied
to the packet. Nested tunnels are implemented using nested SAs not SPs.
Am I wrong?
Not really, but remember that a policy does not have to be a really well
defined entity. All a policy needs to do is define what behaviour you
should have while processing IP packets, that's all. So, you could easily
say that doing multiple IPsec processing using lots of different tunnels on
a single packet, and multiple SA's and SP's (depending on how your
databases are set up) is still exercising a single policy, if the behaviour
is what the system administrator intended.
Really, you don't have to use an explicit single SADB either, as long as
the behaviour of the system is correct with respect to proper packet
processing and behaviour dealing with other hosts.
Steve R.
--
Alexey