> >I can only find a way to define a global SPD using setkey. Is it possible
> >to define an (IPv4) SPD on a per interface basis using KAME / FreeBSD4?
> >If not, are there any plans to add this in the future?
> >Is there any reason one wouldn't want to have this?
> no. do you want SPD per interface, or IPsec SPI per interface?
> anyway, IPsec architecture is not interface-oriented (it lives on top
> of IP, and the information on interface is already gone)
> so your suggestion does not fit nicely to the current architecture...
the specification strongly supposed about a security gateway which has
two interface, namely the internal and the outernal, even though the one
considered about a host to be secured.
> I read RFC2401 (pg 13) differently, which is why I asked.
> "Each interface for which IPsec is enabled requires nominally separate
> inbound vs. outbound databases (SAD and SPD)"
i think it's implementation design matter. we choiced to implement it
like a address based packet filtering, not a interface based.
> and further down on pg 13
> "...SG had multiple external interfaces, it might be necessary to have
> separate SAD and SPD pairs for each interface."
On the router which had multiple interfaces, if we configured IPSec on
the interface A, but the kernel decided a packet to forward to the
interface B due to routing information, the packet could not be secure.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
