Re: [Ipsec] IPSec Outbound Packet Processing Questions

[Karen Seo <kseo@bbn.com>]

Hello Hazem,

>First question, it's not clear how an SA bundle is formed, and if 
>all SAs in the bundle get the same SPI. Is it constructed by 
>matching an outbound packet against multiple SPD rules each pointing 
>to one transform, or matching the packet against one rule that 
>points to multipe transforms?

	In 2401bis, there are no longer SA bundles.  See Section
	4.3 Combining Security Associations --> "This document does
	not require support for nested security associations or for
	what RFC 2401 called 'SA bundles.' These features still can
	be effected by appropriate configuration of both the SPD
	and the local forwarding functions (for inbound and outbound
	traffic),...."

	If one wants to apply say ESP then AH to an outbound packet,
	there would be separate SPD entries/rules for each and the
	forwarding would have to be set up to cause the packet to go
	back through IPsec processing after ESP was applied. On this
	2nd pass, the packet would match a rule (with ESP as a protocol
	selector) that calls for AH to be applied.  There would be
	independently selected SPIs for AH and for ESP.

>Second question is about outbound packet matching. Can a packet 
>match multiple SPD rules? If yes, how are these rules applied to the 
>packet in such a case?

	If the SPD is not decorrelated, then rules can overlap in
	coverage and a packet could match multiple rules.  The rules
	in such an SPD must be ordered and it is searched from the
	beginning until a matching rule is found. If the SPD is
	decorrelated, then a given packet will match only one rule.

Karen

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec