2401bis: Revised Processing Model (v2)

1
2401bis Revised Processing Model (v2)

• Steve Kent
• BBN Technologies

2
Processing Model Highlights

• SPDs no longer per interface support as many as
  are needed in a specific context
• Forwarding decision separate from SPD selection
  decision
• SPD may be selected via packet header and local
  metadata (e.g., inbound interface)
• Forwarding performed after traffic passes through
  IPsec
• Nested SA support now optional, requires
  coordination between forwarding tables and SPD
  entries

3
IPsec Processing Model
BLACK
IPsec boundary
AH/ESP
IKE
RED
4
Next Layer of Model (Outbound)
Black Interface
Forwarding
SPD cache
AH/ESP
SPD Selection
Red Interface
5
Next Layer of Model (Inbound)
Black Interface
demux
Bypass/ discard
AH/ESP
IKE
Forwarding
SAD check
Red Interface
6
IPsec Outbound Traffic Processing
discard
bypass
SPD outbound cache
Red interface
SPD Selection
Black interface
Forwarding
AH/ESP
miss
create SA
SAD
create new cache entry
SPD lookup
SA creation (IKE)
SPD-I cache
This example assumes a decorrelated cache
7
IPsec Handling of Inbound Packet
discard
SAD Selector check
SAD lookup
Red interface
IPsec
AH/ESP
forwarding
IP proc
Black interface
SPD-I
IPsec
IKE
discard
SPD
SPD outbound cache