[RFC/RFT] projects/ipsec
Andrey V. Elsukov
ae at FreeBSD.org
Sun Dec 11 12:10:05 UTC 2016
On 11.12.2016 14:58, Slawa Olhovchenkov wrote:
>> No. An encapsulated by gif(4) packet is considered as own packet. The
>> described change is related to transport mode policies, that are match
>> forwarded packets, i.e. when source and destination addresses are not
>> our own. In this case we can't handle the returned packets.
>
> What difference with source packets?
> Whu you can handle sourced and can't handle returned packets?
IPsec is a set of protocol handlers - ESP/AH/IPcomp. Inbound packets are
handled by security association with given destination address and SPI.
If returned packets aren't destined to your address, protocol handlers
will not handle them.
Outbound packets are handled by matching security policy. A needed
security association are looking using the address selector from
security policy. If security association that matches to a packet is
found, a packet will be handled by protocol handler.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 541 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20161211/2abe9427/attachment.sig>
More information about the freebsd-net
mailing list