Hi Zach, Apologies for the late reply and thank you for the considered analysis.
..snip.. Is there a reason that the input side is setup like this? Unless there is a good reason for allowing inbound traffic by default, I would propose to patch the ipsec-input node to align with ipsec-output and drop traffic by default. No reason I know of. Please patch as you suggest. Regards, neale Best, Zach [1]: https://datatracker.ietf.org/doc/html/rfc4301 [2]: https://datatracker.ietf.org/doc/html/rfc4301#section-4.4.1 [3]: https://datatracker.ietf.org/doc/html/rfc4301#section-5 [4]: https://datatracker.ietf.org/doc/html/rfc4301#section-5.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20113): https://lists.fd.io/g/vpp-dev/message/20113 Mute This Topic: https://lists.fd.io/mt/84943480/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
