[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec inbound processing



 In your previous mail you wrote:

   The RFC 2401's section 5.2.1 says about selecting an SA / SA bundle for
   Inbound IP traffic. I am at the moment quite confused about the sequence of
   searching and using an SA. 
   
=> RFC 2401 has a high level of details and experience showed this was/is
necessary. Of course, they (the details) are not easy to understand...

   Why is it so that we first directly look for an SA from SAD using the
   selector valus of the packet? Why not we directly refer to SPD than get the
   SA pointer from there (SPD) to look it in SAD. 
   
=> just a little question, how can you do this with ESP in tunnel mode
(which is BTW the most common IPsec SA type)?

   And if it is not the way i have written it, how an inbound ip packet is
   processed?
   
=> RFC 2401 section 5.2 (read, reread, and don't stop when you believe
you've understood :-).

Regards

Francis.Dupont@enst-bretagne.fr