[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD and SADB per interface

To: "Szymanski, Pawel" <Pawel.Szymanski@intel.com>
Subject: Re: SPD and SADB per interface
From: Charles Lynn <clynn@bbn.com>
Date: Fri, 5 Apr 2002 10:45:56 -0500 (EST)
Cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
In-Reply-To: <413FBB0BA5AED1119122000083234B1A01FB48D3@alpha.igk.intel.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Pawel,

> RFC2401 says that separate SPD and SADB should be maintained for each
> network interface on which IPSec is enabled.
> Does it mean that IK E negotiates IPSec SAs per interface (it is each SA
> should be used only for one interface) ?

Yes, I believe that is correct.

> If yes, what about gateways which have two or more interfaces leading to the
> same untrusted network ?  A remote peer sending IPSec-ed packets to such
> gateway does not know which SA it shall use, as it can't predict through
> which of the interfaces the packets will arrive to the gateway.

If routing changes so that the packets are delivered to the interface that
does not have an SA, they are not delivered, as you have noted.

A vendor may, as a market differentiator or additional feature, choose to
implement mechanisms that allow interfaces that have some policy rules in
common to share SAs. But a (minimal) IPsec implementation is not required
to support such a capability.

Charlie

References:
- SPD and SADB per interface
  - From: "Szymanski, Pawel" <Pawel.Szymanski@intel.com>

Prev by Date: Re: Do we actually need dynamic ports?
Next by Date: Re: use of IV
Prev by thread: SPD and SADB per interface
Next by thread: Nortel Contivity VPN client and 3rd party IPsec
Index(es):
- Date
- Thread