[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD issues

To: Joe Touch <touch@ISI.EDU>
Subject: Re: SPD issues
From: Mark Duffy <mduffy@quarrytech.com>
Date: Tue, 21 Oct 2003 00:25:01 -0400
Cc: Mike Taylor <mtaylor.eng@sbcglobal.net>, Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
In-Reply-To: <3F944CFA.8060009@isi.edu>
References: <5.2.0.9.0.20031020142118.020310d8@email><5.2.0.9.0.20031014234014.0214b190@localhost><5.2.0.9.0.20031020142118.020310d8@email>
Sender: owner-ipsec@lists.tislabs.com


>>[MD] So, there is an SPD selection function that chooses an SPD.  And 
>>there is an IP forwarding function that selects a next hop to forward a 
>>datagram to.  And the two may be comepletely independent or completely 
>>entwined, depending on the nature of the device.
>
>[JT] It's the entwined case that presents the largest problem. I.e., if 
>the SPD selection is based on forwarding information that then changes by 
>the time the subsequently tunneled (or not tunneled) packet is emitted 
>from IPsec.
>
>This could happen whether dynamic or static routing is used; the issue is 
>flux in the forwarding table and whether it is _allowed_ to affect SPD 
>selection.
>
>Calling the function "SPD selection" doesn't absolve the problem.
>
>Joe

No.  But it isolates the problems of which SPD to use, and which interface/ 
next hop to send the packet to.  Whoever feels that these are or need to be 
entwined for their application is free to do so.  Those solving simpler 
problems can avoid that.  And 2401bis can take itself out of the business 
of IP forwarding decisions.

Mark

Follow-Ups:
- Re: SPD issues
  - From: Joe Touch <touch@ISI.EDU>

References:
- RE: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: SPD issues
  - From: Joe Touch <touch@ISI.EDU>

Prev by Date: RE: SPD issues
Next by Date: Re: SPD issues
Prev by thread: Re: SPD issues
Next by thread: Re: SPD issues
Index(es):
- Date
- Thread