SAD
Click on the red underlined text to get to the source
... SA in the security association database (SAD).
Original Outbound Packet Outbound Packet (IPsec Transport Mode ...
... lookup will occur in the
per-interface SAD associated with the respective virtual interface.
...
... routing protocols and forwarding
mechanisms are modified to consult both the routing tables and SADs
to make forwarding decision. To prevent IPsec processing from
...
... routing, but requires changes to
routing mechanisms such that SAD contents are included in the route
exchanges. It is unclear how transport-layer ...
... routing protocols and forwarding lookup mechanisms to act or
synchronize based on SAD entries. This requires substantial changes
to routing software and forwarding mechanisms in all participating
...
... tunnels can use the same
outgoing interface and thus same SAD. The forwarding lookup would
return only the interface ...
... next-hop gateway, the correct
SAD entry cannot be determined. Given the next-hop gateway would not
...
... next-hop gateway would not
help, because the SAD is not indexed by tunnel mode SA encapsulation
...
... interfaces, for the purpose of routing. SAD changes must furthermore
dynamically update the configuration of these SA ...
... 2401(-> 4301prop) [1] describes per-interface SADs as a
component of IPsec. When tunnel mode SAs ...
... First, each tunnel interface SAD must contain exactly one IPsec
tunnel mode SA. Transport mode ...
... interfaces to
contain only tunnel mode SAs, and the SADs of regular interfaces to
contain only transport mode ...
...
Incoming packet processing must check the SAD before determining
whether to decapsulate IPsec ...
... IPsec packets with inner payload of protocol
type 4. If the SAD indicates that a tunnel mode association applies,
...
... IPsec must not decapsulate the
packet. This requires that the SAD indicate one of these two
options; wildcard SAD ...
... SAD indicate one of these two
options; wildcard SAD entries ("ANY", or "TUNNEL or TRANSPORT")
...