Re: revised IPsec processing model

[Stephen Kent <kent@bbn.com>]

At 16:25 +0200 7/19/03, Markus Friedl wrote:
>On Sat, Jul 19, 2003 at 07:59:27PM +0900, itojun@iijlab.net wrote:
>>	by introducing "virtual interface" and switching m->m_pkthdr.rcvif
>>	based on the virtual interface, you will become unable to identify
>>	peer correctly - after IPsec processing, both "fe80::1%segment1" and
>>	"fe80::1%segment2" would become "fe80::1%ipsec".  providing 1-by-1
>>	mapping between virtual interface and real interface does not provide
>>	a solution, since you will now see non-IPsec traffic as sent from
>>	"fe80::1%segment1" and IPsec traffic as sent from "fe80::1%ipsec1",
>>	and upper layer will get confused.
>
>I don't think the 'virtual interface' needs to replace the
>m_pkthdr.rcvif.  The virtual interface can just be attached as some
>kind of mbuf tag.
>
>However, I don't see a difference between having the VID
>as a special selectors in a single SPD and having mutiple SPDs
>selected by VID.

You are correct that one could choose to implement a single SPD in 
which the VID was another "selector." However, I avoided presenting 
this as the basic model for at least two reasons that I can recall 
now:

	- in 2401 we talked in terms of per interface SPDs, so it is 
more consistent with the old model to talk in terms of per-virtual 
interface SPDs

	- we have generally reserved the term "selector" for data 
items extracted from packet headers.  the VID is not part of a packet 
header.

Steve