[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Ordered and unordered SPD in draft-ietf-ipsec-rfc2401bis-01
From: "Michael Roe" <mroe@microsoft.com>
In draft-ietf-rfc2401bis-01, the description of the processing
model is very confusing. The problem is that is keeps switching
between two different representations of the SPD:
(a) An ordered SPD, which may contain overlapping entries
(b) An unordered SPD, which must not contain overlapping entries
I had a similar reaction on reading the draft, but was lame about
commenting.
Since decorrelation is "just" an optimization, my (unconsidered)
preference is to have all the descriptions be in terms of the ordered
SPD, perhaps with 'the packet is looked up in the SPD' explained once,
and then that definition simply used. The decorrelation presentation
could then be descriptive, with the authoritative rules for lookup be
in terms of the ordered SPD.
There is another, more subtle issue, which is that any time the SPD is
changed any data structures derived from the SPD should be updated.
While this typically course includes computing a new decorrelated SPD
to enable fast lookups, it may also be necessary to revisit extant SAs
in implementations that omit SPD lookups when a packet matches an SA,
since an SA match may no longer indicate reliably that the packet is
allowed by the SPD. Decorrlating the SPD doesn't _cause_ this issue,
but I believe it makes it harder to see.
--
Greg Troxel <gdt@ir.bbn.com>