[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
At 16:40 +0200 7/21/03, Francis Dupont wrote:
> In your previous mail you wrote:
>
> Here is the new, proposed processing model for IPsec. Comments
> welcome, of course.
>
>=> some comments:
>
> Several concepts underlie the proposed model:
>
> - virtual interface: every IPsec device has at least one virtual
> interface, ...
>
>=> with scoped addresses, all the physical interfaces must belong
>to the same zone. In the case of link-local addresses, this means
>there is a one-to-one built-in mapping between interfaces which
>support link-local addresses (almost all in IPv6) and some kind of
>virtual interfaces. BTW, this can answer to Itojun's concern.
As I mentioned in my earlier messages, I don't understand the
internals of an IPv6 host implementation well enough to appreciate
these issues. I am assuming that the responses from other folks about
how to interpret the VID concept in this context will suffice.
>
> - forwarding function: to provide a clear separation between
> forwarding (routing) and security decisions, ...
>
>=> it is not clear whether the forwarding function applies only
>to forwarded packets (i.e., packets forwarded by a router) or
>this is only the "routing" part of the ip_output() procedure.
I do tend to think in terms of BITW/BITS and SG implementations of
IPsec, so that prejudice may be showing here. The intent of the
forwarding function, in a host environment and absent IPsec, would be
to select the interface to which the packet would be forwarded. So, I
think this maps to the "routing part ..." as you noted above.
> With these concepts in mind, we can describe the revised model. First
> we examine outbound traffic processing. (There is no separate
> discussion of fragment processing for now, as we await the WG
> decisions of several pending proposals re fragmentation.)
>
> 1. when a packet arrives from a subscriber interface, invoke the
> forwarding lookup function.
>
>=> can you define what is a subscriber interface? I am afraid the
>model applies only to routers, i.e., what to do with genuine traffic?
I was thinking in terms of the interface via which an outbound packet
is initially received. so, in a host, this is the interface form
which upper layer protocols present packets to the IP layer. In a SG,
it the the interface hat connects to the network that we think of as
being "behind" the security gateway.
Steve