tech-crypto: Order of SPD evaluation in ipsec

Subject: Order of SPD evaluation in ipsec
To: None <tech-crypto@netbsd.org>
From: Christoph Kaegi <kgc@zhwin.ch>
List: tech-crypto
Date: 05/09/2001 11:51:43

Hi

I am setting up two NetBSD 1.5 boxes wich tunnel and 
(ESP) encrypt traffic like follows:

         I-----I                  I-----I
Net 1 ---I     I                  I     I---- Net 3
         I Box I                  I Box I
         I  1  I----- Tunnel -----I  2  I
         I     I                  I     I
Net 2 ---I     I                  I     I---- Net 4
         I-----I                  I-----I

If have successfully set up the systems, traffic gets
encrypted between the boxes.

But how can I drop all Packets on the Boxes, which
aren't from or to Net[1234] ?

I tried with additional SPD entries like:

   # disallow everything else
   spdadd Net1 0.0.0.0/0 any -P out discard ;
   spdadd 0.0.0.0/0 Net1 any -P in discard;

... at the *end* of my /etc/ipsec.conf.

This doesn't work. (No connection at all anymore)

So, I guess the packet checker doesn't stop looking
at the SPD rules, when it already found a satisfying
rule.

How are the SPD rules checked?

I couldn't find an answer by searching around the net.

Also: the IPSEC implementation doesn't seem to drop
      packets, for which there isn't a matching
      SPD rule (like RFC 2401 requires)

Thanks for any help

Regards

Chris

-- 
----------------------------------------------------------------------
Christoph Kaegi                                           kgc@zhwin.ch
----------------------------------------------------------------------