[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: typical IPsec-based VPNs incl. modecfg vs. DHCP
In your previous mail you wrote:
I'm not sure I fully understand what you just said, but one of the
things I think I just read is that routing happens after SPD use.
=> yes, policies are applied before the real routing happens.
Often there is a route lookup at the entry of IP output routine
but real routing can be done only at the end because of all the
special cases (multicast, routing headers, policies, etc).
I think this is highly implementation specific. I've created an
implementation which supports per-interface policies. In this
implementation, the SPD for the ingress interface is consulted upon
receiving a packet, and the appropriate policy is applied.
=> I considered only the egress processing (routing in the ingress
processing is marginal).
After this
step, a routing lookup is performed to determine the exit interface, and
then the SPD associated with that interface is consulted. This is a
powerful model with interesting properties.
=> this is the standard way but this routing lookup doesn't do the
real routing, i.e., another route can be used to send the packet.
Now, you could say that the SPD is used before routing, as the one on
the ingress interface certainly is, but what about the one on the egress
interface? As for routes being the same with or without the VPN, this is
typically true for exiting packets, although not necessarily in cases
where an encapsulation occurs due to policy related operations.
=> if there is an encapsulation, the route has to be reevaluated so
in this way the SPD is used before final routing. Especially in common
implementations the IPsec decision is from a SPD match, not a route table
one. But this is really implementation dependent and RFC 2401 is not
the clearest document we can find (:-).
Regards
Francis.Dupont@enst-bretagne.fr