Re: [Ipsec] IPsec AH and ESP -- changes

[Markku Savela <msa@burp.tkv.asdf.org>]

I've some doubt, perhaps clarification is needed?

> From: kseo@bbn.com

> 2. AH and ESP (and 2401bis)

...
> 	Each entry in the Security Association Database (SAD)
> 	[Ken-Arch] must indicate whether the SA lookup makes use of
> 	the destination, or destination and source, IP addresses, in
> 	addition to the SPI.

...
> 	   2. Search the SAD for a match on {SPI, destination
> 	      multicast address}. If the SAD entry matches then
> 	      process the inbound ESP packet with that matching SAD
>                entry. Otherwise, proceed to step 3.

I assume this will match *only* SA's, that indicate that source address
is not used?

> 	   3. Search the SAD for a match on only {SPI}. If an SAD
> 	      entry matches then process the inbound ESP packet with
> 	      that matching SAD entry. Otherwise, discard the packet
> 	      and log an auditable event.

...and, this matches *only* SA's, that indicate that neither source nor
destination is used?

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec