Date: Wed, 04 Jul 2001 09:50:26 +0900 From: Shoichi Sakane <sakane@kame.net> To: mcambria@avaya.com Cc: snap-users@kame.net, freebsd-net@freebsd.org Subject: RE: (KAME-snap 5064) Can I define a SPD per interface? Message-ID: <20010704095026X.sakane@kame.net> In-Reply-To: Your message of "Tue, 3 Jul 2001 09:23:58 -0400 " <3A6D367EA1EFD4118C9B00A0C9DD99D7064F5F@rerun.lucentctc.com> References: <3A6D367EA1EFD4118C9B00A0C9DD99D7064F5F@rerun.lucentctc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> >I can only find a way to define a global SPD using setkey. Is it possible > >to define an (IPv4) SPD on a per interface basis using KAME / FreeBSD4? > >If not, are there any plans to add this in the future? > >Is there any reason one wouldn't want to have this? > no. do you want SPD per interface, or IPsec SPI per interface? > anyway, IPsec architecture is not interface-oriented (it lives on top > of IP, and the information on interface is already gone) > so your suggestion does not fit nicely to the current architecture... the specification strongly supposed about a security gateway which has two interface, namely the internal and the outernal, even though the one considered about a host to be secured. > I read RFC2401 (pg 13) differently, which is why I asked. > "Each interface for which IPsec is enabled requires nominally separate > inbound vs. outbound databases (SAD and SPD)" i think it's implementation design matter. we choiced to implement it like a address based packet filtering, not a interface based. > and further down on pg 13 > "...SG had multiple external interfaces, it might be necessary to have > separate SAD and SPD pairs for each interface." On the router which had multiple interfaces, if we configured IPSec on the interface A, but the kernel decided a packet to forward to the interface B due to routing information, the packet could not be secure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010704095026X.sakane>