On Sat, Jun 28, 2003 at 11:13:16AM +0400, kuznet@ms2.inr.ac.ru wrote: > > > A has an ESP transport SA to B, and on top of that, A has an ESP tunnel > > SA to C via B: > > > > A <------> B <------> C > > <transp> > > <------tunnel-----> > > > > Normally packets coming from B must be protected by the transport SA. > > However, packets arriving from C are accepted even if they only possess > > the tunnel SA, bypassing the transport SA between A and B. > > I think you misplaced something in the picture, because transport SA > between A and B cannot have any relationship to traffic from C. > Well, you can guess, I did not understand the picture. :-) Oops :) Better make the transport SA a tunnel SA instead. For a more realistic example, make the tunnel between A and C an IPCOMP tunnel. > Anyway, let's think simpler: what policy do you set on output? > Why is the symmetric reflection of this policy on input not enough? Indeed, the same problem probably exists on output. It's sufficient from the kernel's point of view. But it makes the KM's job very difficult indeed. KMs view these things as connections rather than simply policies. So it sees a connection between A and B and another one between A and C. When it sets up the connection between A and C it may not even know about the connection between A and B. As it is, it has to update the policies between A and C when the tunnel between A and B is created. -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
