[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: RE: [Ipsec] SPD Checks for IPsec Inbound Processing
From: "Narayanan, Vidya" <vidyan () qualcomm ! com>
Date: 2006-10-18 5:15:02
Message-ID: C24CB51D5AA800449982D9BCB903251324215C () NAEX13 ! na ! qualcomm ! com
[Download RAW message or body]
Thanks, Steve. Apologies for missing the relevant text.
Regards,
Vidya
> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Monday, October 16, 2006 8:32 AM
> To: Narayanan, Vidya
> Cc: ipsec@ietf.org
> Subject: Re: [Ipsec] SPD Checks for IPsec Inbound Processing
>
> At 10:37 AM -0700 10/14/06, Narayanan, Vidya wrote:
> >Hi,
> >RFC2401 had SPD checks for inbound packet processing after
> processing
> >with a matching SA, while RFC4301 only advocates SPD checks for
> >bypassed or discarded inbound packets. Can anyone throw some
> light on
> >why the SPD checks on packets with a matching SA were not preserved?
> >
> >Thanks,
> >Vidya
>
> We now require the access control checking for inbound
> packets to make use of the SAD, consistent with the new
> processing model defined in 4301. (See Figure 3 on Page 60),
> and step 4 of the processing description on page 62.)
>
> Because the new model assumes use of decorrelated SPD
> entries, it is now "safe" (and much easier) to perform the
> check against the SAD entry, vs. having to search the SPD.
>
> Also, 4301 does not "advocate" SPD-I (cache) checks for
> bypassed and discarded packets, it mandates them.
>
> Steve
>
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic