[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model



At 16:40 +0200 7/21/03, Francis Dupont wrote:
>  In your previous mail you wrote:
>
>    Here is the new, proposed processing model for IPsec.  Comments
>    welcome, of course.
>   
>=> some comments:
>   
>    Several concepts underlie the proposed model:
>   
>    - virtual interface: every IPsec device has at least one virtual
>    interface, ...
>
>=> with scoped addresses, all the physical interfaces must belong
>to the same zone. In the case of link-local addresses, this means
>there is a one-to-one built-in mapping between interfaces which
>support link-local addresses (almost all in IPv6) and some kind of
>virtual interfaces. BTW, this can answer to Itojun's concern.

As I mentioned in my earlier messages, I don't understand the 
internals of an IPv6 host implementation well enough to appreciate 
these issues. I am assuming that the responses from other folks about 
how to interpret the VID concept in this context will suffice.

>   
>    - forwarding function: to provide a clear separation between
>    forwarding (routing) and security decisions, ...
>
>=> it is not clear whether the forwarding function applies only
>to forwarded packets (i.e., packets forwarded by a router) or
>this is only the "routing" part of the ip_output() procedure.

I do tend to think in terms of BITW/BITS and SG implementations of 
IPsec, so that prejudice may be showing here. The intent of the 
forwarding function, in a host environment and absent IPsec, would be 
to select the interface to which the packet would be forwarded. So, I 
think this maps to the "routing part ..." as you noted above.

>    With these concepts in mind, we can describe the revised model. First
>    we examine outbound traffic processing.  (There is no separate
>    discussion of fragment processing for now, as we await the WG
>    decisions of several pending proposals re fragmentation.)
>   
>    1. when a packet arrives from a subscriber interface, invoke the
>    forwarding lookup function.
>   
>=> can you define what is a subscriber interface? I am afraid the
>model applies only to routers, i.e., what to do with genuine traffic?

I was thinking in terms of the interface via which an outbound packet 
is initially received. so, in a host, this is the interface form 
which upper layer protocols present packets to the IP layer. In a SG, 
it the the interface hat connects to the network that we think of as 
being "behind" the security gateway.

Steve