pasi.ero...@nokia.com writes: > - Section 2.23.1: If the responder doesn't find SPD entry for > transport mode with the modified traffic selectors, and does a lookup > with the original selectors, if it finds an entry for transport mode, > can it use it?
I do not think it can use the transport mode SA using original selectors. This of course depends which traffic selectors are used when installing the SA data to SAD. If those original selectors are used then incoming packets will be dropped because they do not match the selectors for the SA (RFC4301 section 5.2, step 5). If modified selectors is used when installing SA then those selectors were not matched against the SPD, and this can cause spoofing attacks. > (And would that screw up the initiator processing of > the reply? That again depends which traffic selectors are returned. If original traffic selectors are returned then initiator do not get information about the original addresses, thus it cannot do incremental checksum updating. Also depending what kind of checks initiator does, it might cause initiator to fail the reply processing. > Unfortunately,this question is relevant for RFC 5555...) What kind of things does the RFC5555 require? -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
