[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] IPsec AH and ESP -- changes
I've some doubt, perhaps clarification is needed?
> From: kseo@bbn.com
> 2. AH and ESP (and 2401bis)
...
> Each entry in the Security Association Database (SAD)
> [Ken-Arch] must indicate whether the SA lookup makes use of
> the destination, or destination and source, IP addresses, in
> addition to the SPI.
...
> 2. Search the SAD for a match on {SPI, destination
> multicast address}. If the SAD entry matches then
> process the inbound ESP packet with that matching SAD
> entry. Otherwise, proceed to step 3.
I assume this will match *only* SA's, that indicate that source address
is not used?
> 3. Search the SAD for a match on only {SPI}. If an SAD
> entry matches then process the inbound ESP packet with
> that matching SAD entry. Otherwise, discard the packet
> and log an auditable event.
...and, this matches *only* SA's, that indicate that neither source nor
destination is used?
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec