[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: issue with "per-interface SAD/SPD"
Francis Dupont wrote:
> The RFC 2401 mandates (section 4.4, page 13) separate inbound and
> outbound databases (SAD and SPD) for each IPsec-enabled interface.
> This doesn't work in a dynamic environment where for instance dynamic
> routing makes the arrival of a packet for an address of a node possible
> on more than one interface in a long term, or where the peer is a mobile
> The problem exists at least in SAD lookup for incoming traffic and for
> SPD matching in IKE... IMHO the simplest (so the best :-) solution is
> to introduce an interface selector: the "firewall" properties are kept
> but a SPD entry can be "shared" between some interfaces.
> How this will be handled in the revision of RFC 2401?
FYI, we addressed this sort of issue in draft-touch-ipsec-vpn-05.txt,
which was submitted independently as an Informational in April.
Introducing an interface selector is insufficient; the selector needs to
indicate the next-hop IP address and interface, as both are required for
IP forwarding. The details of this issue, and simpler alternatives are
discussed in the draft.