[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model

To: Stephen Kent <kent@bbn.com>
Subject: Re: revised IPsec processing model
From: Joe Touch <touch@ISI.EDU>
Date: Mon, 04 Aug 2003 13:36:44 -0700
CC: Mark Duffy <mduffy@quarrytech.com>, ipsec@lists.tislabs.com
In-Reply-To: <p05210613bb4db57e16c7@[128.89.89.75]>
References: <5.2.0.9.0.20030724113200.01feed80@email> <p05210613bb4db57e16c7@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507

Hi, all,

Stephen Kent wrote:
> Mark,
> 
> responses inline to your comments:
> 
>     <SNIP>
> 
>> Regarding the virtual interface and the forwarding function:
>>
>> A close reading shows that the "forwarding function" may be an 
>> arbitrary function of the packet (and hopefully of meta-information 
>> about the packet, such as where it was received from).  However, the 
>> term itself is fairly loaded and will suggest 
>> destination-address-based IP forwarding to many readers.  Moreover, 
>> 2401bis should IMO permit a separation between where a packet is 
>> forwarded to, and what SPD is applied to it.  This for example to 
>> support a device that has one uplink to the Internet and provides 
>> protection for different LANs using different SPDs: in this case the 
>> SPD to use for outbound processing might be implied by the interface 
>> the packet came in on rather than by the interface it goes out on.
> 
> The intent is that the forwarding function can use any data from the 
> packet. I'm open to suggestions for other names for the function, but I 
> think Joe Touch suggested this one, and he definitely intended it to 
> cover the broader set of possible inputs.

FYI, we call it forwarding since it would do what IP forwarding does. 
However, note that IP forwarding, as we have pointed out before, 
involves more than finding the outgoing interface.

Consider a system:

                 c
               /
	a----b
               \
                 d

Where a packet comes from 'a' and goes many hops downstream of 'c' or 
'd', where c,d are the nexthops from b. It is possible that c and d are 
on the same LAN as b, e.g., an FDDI ring or ethernet switch at a POP.

In that case, regardless of whether c or d is chosen, the packet will 
have the same outgoing interface. Outgoing interface alone will be 
insufficient to support dynamic routing.

As we have observed before, IP forwarding specifies both the outgoing 
interface and the next-hop IP address; both are required to specify the 
appropriate database.

However, as our ID points out, this is a cumbersome solution compared to 
the alternatives.

Joe

Follow-Ups:
- Re: revised IPsec processing model
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: revised IPsec processing model
Next by Date: Re: revised IPsec processing model: Q: VID and forwarding function
Prev by thread: Re: revised IPsec processing model
Next by thread: Re: revised IPsec processing model
Index(es):
- Date
- Thread