[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
In your previous mail you wrote:
Here is the new, proposed processing model for IPsec. Comments
welcome, of course.
=> some comments:
Several concepts underlie the proposed model:
- virtual interface: every IPsec device has at least one virtual
interface, ...
=> with scoped addresses, all the physical interfaces must belong
to the same zone. In the case of link-local addresses, this means
there is a one-to-one built-in mapping between interfaces which
support link-local addresses (almost all in IPv6) and some kind of
virtual interfaces. BTW, this can answer to Itojun's concern.
- forwarding function: to provide a clear separation between
forwarding (routing) and security decisions, ...
=> it is not clear whether the forwarding function applies only
to forwarded packets (i.e., packets forwarded by a router) or
this is only the "routing" part of the ip_output() procedure.
With these concepts in mind, we can describe the revised model. First
we examine outbound traffic processing. (There is no separate
discussion of fragment processing for now, as we await the WG
decisions of several pending proposals re fragmentation.)
1. when a packet arrives from a subscriber interface, invoke the
forwarding lookup function.
=> can you define what is a subscriber interface? I am afraid the
model applies only to routers, i.e., what to do with genuine traffic?
Thanks
Francis.Dupont@enst-bretagne.fr