[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issue with "per-interface SAD/SPD"


I see your point but am not sure how Steve (Kent) would propose to 
address this. He's on vacation until 6/17.  So I just wanted to let 
you know that we'll get back to you as soon as he returns (and has a 
chance to plow through his email backlog :-).)


>The RFC 2401 mandates (section 4.4, page 13) separate inbound and
>outbound databases (SAD and SPD) for each IPsec-enabled interface.
>This doesn't work in a dynamic environment where for instance dynamic
>routing makes the arrival of a packet for an address of a node possible
>on more than one interface in a long term, or where the peer is a mobile
>The problem exists at least in SAD lookup for incoming traffic and for
>SPD matching in IKE... IMHO the simplest (so the best :-) solution is
>to introduce an interface selector: the "firewall" properties are kept
>but a SPD entry can be "shared" between some interfaces.
>How this will be handled in the revision of RFC 2401?