Re: revised IPsec processing model

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   Here is the new, proposed processing model for IPsec.  Comments 
   welcome, of course.
   
=> some comments:
   
   Several concepts underlie the proposed model:
   
   - virtual interface: every IPsec device has at least one virtual 
   interface, ...

=> with scoped addresses, all the physical interfaces must belong
to the same zone. In the case of link-local addresses, this means
there is a one-to-one built-in mapping between interfaces which
support link-local addresses (almost all in IPv6) and some kind of
virtual interfaces. BTW, this can answer to Itojun's concern.
   
   - forwarding function: to provide a clear separation between 
   forwarding (routing) and security decisions, ...

=> it is not clear whether the forwarding function applies only
to forwarded packets (i.e., packets forwarded by a router) or
this is only the "routing" part of the ip_output() procedure.

   With these concepts in mind, we can describe the revised model. First 
   we examine outbound traffic processing.  (There is no separate 
   discussion of fragment processing for now, as we await the WG 
   decisions of several pending proposals re fragmentation.)
   
   1. when a packet arrives from a subscriber interface, invoke the 
   forwarding lookup function.
   
=> can you define what is a subscriber interface? I am afraid the
model applies only to routers, i.e., what to do with genuine traffic?

Thanks

Francis.Dupont@enst-bretagne.fr