次の方法で共有


3.7.4.1 Outbound Packet

An outbound packet MUST be matched against the SPD to determine if and how it needs to be protected, as specified in [RFC4301] section 5.

  • If the packet matches a negotiation discovery rule in the SPD, and no QM SA matches the packet, one of the following MUST occur:

    • If the Secure flag is not set for the corresponding flow:

      The IPsec implementation MUST send the packet and MUST trigger IKE to negotiate the corresponding QM SA if the Acquire flag is not set on the corresponding flow. Otherwise, the IPsec implementation MUST send the packet and MUST NOT trigger IKE. The first quick mode negotiation message is message #5. Message #5 MUST be constructed as follows:

      • The header and payloads MUST be constructed as specified in [RFC2409] section 5.5.

      • If the SPD rule matching the traffic has the Boundary flag set, or if the Guarantee Encryption flag is set for the flow, the host MUST include a notification payload with the following fields and values:

        Notify Message Type (2 bytes): 0x9C45 (EXCHANGE_INFO) (section 2.2.6).

        The Notification_Data field is interpreted as a flags field.

        • Flag 0x00000001 (IKE_EXCHANGE_INFO_ND_BOUNDARY) MUST be set if the corresponding rule in the SPD has the Boundary flag set.

        • Flag 0x00000002 (IKE_EXCHANGE_INFO_GUARANTEE_ENCRYPTION) MUST be set if the Guarantee Encryption flag is set on the corresponding flow.

        • This notification payload MUST be constructed as specified in section 2.2.6.

          The host MUST then set the Acquire flag on the corresponding flow.

    • If the Secure flag is set for the corresponding flow:

      The IPsec implementation MUST NOT send the packet (it can queue or silently discard the packet) and MUST trigger IKE to negotiate the corresponding QM SA. Message #5 MUST be constructed as previously specified.

      If a QM SA needs to be negotiated, and no corresponding MM SA exists (as determined by using the outbound packet destination IP address to look up the MMSAD), an MM SA MUST be negotiated. The host MUST construct and send packet #1 as specified in [RFC2409] section 5. The host MUST include in it an "MS-Negotiation Discovery Capable" vendor ID payload (a vendor ID payload generated by using the vendor ID string "MS-Negotiation Discovery Capable", as specified in [RFC2408] section 3.16).

  • If the packet matches a negotiation discovery rule in the SPD, and a QM SA matches the packet, the following MUST occur:

    If the matching QM SA and the corresponding flow do not have the same value for the Guaranteed Encryption flag, the host MUST trigger IKE to negotiate the corresponding QM SA, as previously described in the case where there is no matching QM SA for the packet.

    Otherwise, one of the following MUST occur:

    • If the matching QM SA is a UDP-ESP SA ([RFC3947] section 5) with the Boundary flag (defined in section 3.7.1) set, the host MUST send the packet in Cleartext.

    • Otherwise, the IPsec implementation MUST send the packet encapsulated by using the matching QM SA, and it MUST set the Secure flag for this flow.

  • If the packet does not match a negotiation discovery rule, packet processing MUST be performed as specified in [RFC4301] section 5.

If the packet matches a Guaranteed Encryption rule in the SPD, the host MUST set the Guaranteed Encryption flag on the corresponding flow. This rule MUST apply regardless of whether a matching QM SA is found or not.