On Wed, 6 Jun 2012, Yoav Nir wrote:
Should the SPD search in IPsec support longest prefix match(LPM)?
Hi
The answer is no. The SPD is an ordered list of entries, and the first match is
the one to follow.
RFC 4301 defines a decorrelation algorithm (section 4.4.1 and appendix B) that
remove overlaps for quicker searches, but that does not change the result fo
the SPD search, which is first-match.
The *swan implementations when using KLIPS use longest prefix match.
When using NETKEY/XFRM you get the first match behaviour. The latter
causes all kinds of problems.
Apart from the RFC stating so, what is the reasoning behind favouring
an "arbitrary top down list" over longest prefix match?
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
