[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] IPsec AH and ESP -- changes
Hi Markku,
On Tue, 27 Apr 2004, Markku Savela wrote:
> I've some doubt, perhaps clarification is needed?
I'm trying to understand what is not clear to you, as I'm not sure I
understand your question.
>
> > From: kseo@bbn.com
>
> > 2. AH and ESP (and 2401bis)
>
> ...
> > Each entry in the Security Association Database (SAD)
> > [Ken-Arch] must indicate whether the SA lookup makes use of
> > the destination, or destination and source, IP addresses, in
> > addition to the SPI.
>
> ...
> > 2. Search the SAD for a match on {SPI, destination
> > multicast address}. If the SAD entry matches then
> > process the inbound ESP packet with that matching SAD
> > entry. Otherwise, proceed to step 3.
>
> I assume this will match *only* SA's, that indicate that source address
> is not used?
The direct answer to your question is "yes". Of course, this procedural
step is being interpreted in the context of a preceding text that
discusses SAD search using the longest matching identifiers before the
shorter identifiers. It does make the reasonable assumption that the IPsec
implementation keeps the SAD entries sorted correctly.
>
> > 3. Search the SAD for a match on only {SPI}. If an SAD
> > entry matches then process the inbound ESP packet with
> > that matching SAD entry. Otherwise, discard the packet
> > and log an auditable event.
>
> ...and, this matches *only* SA's, that indicate that neither source nor
> destination is used?
Again "yes", but with the understanding that it is part of a sorted search
procedure.
hth,
George
>
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
>
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec