Re: issue with "per-interface SAD/SPD"

[Joe Touch <touch@ISI.EDU>]

Francis Dupont wrote:

> The RFC 2401 mandates (section 4.4, page 13) separate inbound and
> outbound databases (SAD and SPD) for each IPsec-enabled interface.
> This doesn't work in a dynamic environment where for instance dynamic
> routing makes the arrival of a packet for an address of a node possible
> on more than one interface in a long term, or where the peer is a mobile
> node.
> The problem exists at least in SAD lookup for incoming traffic and for
> SPD matching in IKE... IMHO the simplest (so the best :-) solution is
> to introduce an interface selector: the "firewall" properties are kept
> but a SPD entry can be "shared" between some interfaces.
> How this will be handled in the revision of RFC 2401?
> 
> Regards
> 
> Francis.Dupont@enst-bretagne.fr

FYI, we addressed this sort of issue in draft-touch-ipsec-vpn-05.txt, 
which was submitted independently as an Informational in April.

Introducing an interface selector is insufficient; the selector needs to 
indicate the next-hop IP address and interface, as both are required for 
IP forwarding. The details of this issue, and simpler alternatives are 
discussed in the draft.

Joe