[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on inbound IPSEC policy check
Hi Jyothi,
The HTTP packets, that are coming via AH-MD5 tunnel
should be dropped by SG1. You might have been confused by
text in RFC2401 section 5.2.1 Bullet 3, which reads like this.
"Find an incoming policy in the SPD that matches the packet.
This could be done, for example, by use of backpointers
from the SAs to the SPD or by matching the packet's selectors
(Inner Header if tunneled) against those of the policy entries
in the SPD "
In my view, text indicating "backpointers from SA" is confusing.
Dropping HTTP traffic in following example by SG1 is good and I would
like to hear from other IPSEC vendors as it impacts inter-operability.
I feel the text for bullet 3, should be read like this:
"Find an incoming policy in the SPD that matches the packet selectors.
This could be
done by matching packet selectors against those of the policy entries
in the SPD
in their order of priority."
Suren
Intoto Inc
3160, De La Cruz Blvd #100
Santa Clara, CA
www.intotoinc.com
At 01:03 PM 4/23/2003 +0530, Jyothi wrote:
>Hi all,
>
>I have a question regarding the inbound SPD policy checking.
>
>Please consider the following scenario:
>
>Office1Network-----SG1---------Internet------------SG2-------Office2Network.
>
>Office1Network has HTTP as well as other services hosted.
>Office1 administartor wants to make sure that all HTTP traffic has to go with
>3DES and SHA1
>
>And all other traffic can go with AH MD5 and no encyrption is required for
>performance reasons.
>
>In this case, if office2Network SG is mis-configured or they did not even
>configure HTTP policy.
>
>Then SG1 accepts the HTTP traffic and process it.
>After IPSEC processing, SHOULD WE ACCEPT THOSE PACKETS OR DROP THOSE
>PACKETS, because higher priority SPD policy is created for the HTTP traffic.
>
>Any advice on this would be greatly appreciated
>
>
>Thanks in advance,
>Jyothi