On Sat, Jun 28, 2003 at 10:36:44AM +0400, kuznet@ms2.inr.ac.ru wrote: > > > There is one other problem though with nested policies. We only check > > the out-most policy in such a case. To solve that problem, we should > > invoke xfrm_policy_check recursively. > > I do not understand. The policy applies only to the content. > Compare with output, where policy applies to original packet and > all the transofmration are derived from this. On input the order > is symmetrical, and this is the policy which IKEs install. Let's consider the hosts A, B and C: A <------> B <------> C A has an ESP transport SA to B, and on top of that, A has an ESP tunnel SA to C via B: A <------> B <------> C <transp> <------tunnel-----> Normally packets coming from B must be protected by the transport SA. However, packets arriving from C are accepted even if they only possess the tunnel SA, bypassing the transport SA between A and B. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
