Re: Precedence on selectors, policy entries or both?

[Stephen Kent <kent@bbn.com>]

At 12:22 PM -0400 10/12/01, Li Man.M (NRC/Boston) wrote:
>Hi,
>
>RFC 2401 specifies that "The SPD contains an ordered list of policy
>entries". Now, if the selectors are ordered in SPD, the policy entries
>are ordered since each selector points to a policy entries. Is this a
>correct assumption?

each SPD entry, keyed by selectors, specifies the policy to be 
applied to the traffic that matches the selectors. the policy is 
bypass, discard, or a specification of what IPsec processing must be 
applied to the traffic.

>
>I also see people give precedence to policy entries or policy rules. Is
>this redundant since the selectors are already ordered? Could there be
>potential conflict if both selectors and policy entries have precedence
>orders?

given the above definition of what a policy is relative to an SPD 
entry, there is no conflict, i.e., the SPD is searched to determine 
the applicable policy.  your confusion may stem from the use of the 
term "policy" in a broader sense, in other contexts.

>
>Which one of the following is the common approach in SPD?
>
>A. Give precedence to selectors only
>B. Give precedence to policy entries only
>C. Give precedence to both selectors and policy entries

A is the right answer.

Steve

---

References:

• Precedence on selectors, policy entries or both?
• From: "Li Man.M (NRC/Boston)" <Man.M.Li@nokia.com>

---

• Prev by Date: simulation of IPSEC
• Next by Date: Re: Implicit/Explicit IV
• Prev by thread: Precedence on selectors, policy entries or both?
• Next by thread: Frequency of Phase 1 / Phase 2 Exchanges
• Index(es):
  • Main
  • Thread