[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issue with "per-interface SAD/SPD"

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: issue with "per-interface SAD/SPD"
From: Karen Seo <kseo@bbn.com>
Date: Mon, 9 Jun 2003 23:49:39 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200306091606.h59G62of004050@givry.rennes.enst-bretagne.fr>
References: <200306091606.h59G62of004050@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

Francis,

I see your point but am not sure how Steve (Kent) would propose to 
address this. He's on vacation until 6/17.  So I just wanted to let 
you know that we'll get back to you as soon as he returns (and has a 
chance to plow through his email backlog :-).)

Karen

>The RFC 2401 mandates (section 4.4, page 13) separate inbound and
>outbound databases (SAD and SPD) for each IPsec-enabled interface.
>This doesn't work in a dynamic environment where for instance dynamic
>routing makes the arrival of a packet for an address of a node possible
>on more than one interface in a long term, or where the peer is a mobile
>node.
>The problem exists at least in SAD lookup for incoming traffic and for
>SPD matching in IKE... IMHO the simplest (so the best :-) solution is
>to introduce an interface selector: the "firewall" properties are kept
>but a SPD entry can be "shared" between some interfaces.
>How this will be handled in the revision of RFC 2401?
>
>Regards
>
>Francis.Dupont@enst-bretagne.fr

References:
- issue with "per-interface SAD/SPD"
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Identity protection [Re: Working Group Last Call IKEv2]
Next by Date: Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD toSHOULD+
Prev by thread: Re: issue with "per-interface SAD/SPD"
Next by thread: Re: issue with "per-interface SAD/SPD"
Index(es):
- Date
- Thread