Protection Policy and Enforcement Mechanisms
IPsec separates its protection policy from its enforcement mechanisms. You can enforce IPsec policies in the following places:
-
On a system-wide level
-
On a per-socket level
You use the ipsecconf command to configure the system-wide policy. See the ipsecconf(1M) man page.
IPsec applies the system-wide policy to incoming datagrams and outgoing datagrams. You can apply some additional rules to outgoing datagrams, because of the additional data that is known by the system. Inbound datagrams can be either accepted or dropped. The decision to drop or accept an inbound datagram is based on several criteria, which sometimes overlap or conflict. Conflicts are resolved by determining which rule is parsed first. Except when a policy entry states that traffic should bypass all other policy, the traffic is automatically accepted. Outbound datagrams are either sent with protection or without protection. If protection is applied, the algorithms are either specific or non-specific.
The policy that normally protects a datagram can be bypassed. You can either specify an exception in the system-wide policy, or you can request a bypass in the per-socket policy. For intra-system traffic, policies are enforced, but actual security mechanisms are not applied. Instead, the outbound policy on an intra-system packet translates into an inbound packet that has had those mechanisms applied.
- © 2010, Oracle Corporation and/or its affiliates