[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD issues

To: Stephen Kent <kent@bbn.com>
Subject: Re: SPD issues
From: Mark Duffy <mduffy@quarrytech.com>
Date: Tue, 14 Oct 2003 23:55:58 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <p0600201ebbb227d8d4b4@[128.89.89.75]>
References: <5.2.0.9.0.20030928231046.01fb51c8@localhost><5.2.0.9.0.20030928231046.01fb51c8@localhost>
Sender: owner-ipsec@lists.tislabs.com

At 07:03 PM 10/14/2003 -0400, Stephen Kent wrote:
>Mark,
>
>>         <SNIP>
>>
>>
>>>         - My previous proposal for a revised processing model, from a 
>>> few weeks ago, retained the idea of multiple SPDs, allocating them to 
>>> virtual interfaces, and introduced the notion of a forwarding function 
>>> to select the right virtual interface, and thus SPD.  But, unless we 
>>> feel a need to have different SPDs per interface, this seems like 
>>> overkill. I think we do want to allow forwarding of outbound traffic to 
>>> be independent of SPD selection, so some notion of an explicit 
>>> forwarding function in the model still seems appropriate. but, as we 
>>> discussed the model, there was a suggestion that we might need two such 
>>> functions, one to select an SPD, and then one to be applied after IPsec 
>>> processing. maybe, if we separate SPD selection from interface 
>>> selection we can have two functions but only one of them is really for 
>>> forwarding.
>>
>>I am all for separating the "SPD selection function" from the "IP 
>>forwarding function".  (Once that is done though, I don't see why the IP 
>>forwarding function is any concern of IPsec's.)
>
>I think we have to say something about options for how forwarding 
>decisions can be made in the context of IPsec, especially in tunnel mode.

How about:

For packets that "bypass" IPsec processing, and for packets that arrive 
with IPsec protection which is removed at the device, the IP output 
interface and next hop are selected by the normal IP forwarding mechanism 
of the device [which would be beyond the scope of 2401bis] applied to the 
plaintext packet.

For packets that have IPsec applied to them by the device (tunnel or 
transport mode) the IP output interface and next hop are selected by the 
normal IP forwarding mechanism of the device applied to the IPsec packet.

And for packets that have a "drop" action selected, the document can remain 
silent.  After all, the world would be rendered uninteresting if all 
mystery were removed ;-)

Mark

Follow-Ups:
- Re: SPD issues
  - From: Stephen Kent <kent@bbn.com>
- RE: SPD issues
  - From: "Mike Taylor" <mtaylor.eng@sbcglobal.net>

References:
- Re: SPD issues
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Issue 68 ("VPNs with overlapping IP address ranges")
Next by Date: Re: 2401bis issues
Prev by thread: Re: SPD issues
Next by thread: Re: SPD issues
Index(es):
- Date
- Thread