If we take an example of the Linux ip xfrm
command:
ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
What does the tmpl
do?
UPDATE: Of course, I understand we need to specify the $SRC
and $DST
. But, since those are already specified in the SA, via the ip xfrm state
command, why do we need to repeat them in the tmpl
? And what is the meaning of calling it a "template"? To me, it seems its just a pointer to a preexisting SA (state
).
Best Answer
It tells the kernel how to process packets (for
out
policies), or where packets must come from (forin
policies) when traffic matches this policy (fwd
policies are a bit special as they might apply in both directions depending on the selector, see this answer). In your example the policy will send traffic through the ESP tunnel mode SA with endpoint IP addresses$SRC
and$DST
, and reqid$ID
.To actually find the SA/state. These are stored in a hashtable and the addresses (in particular the destination address) are part of the hash value. For tunnel mode SAs the addresses of the packet that matched the outbound policy don't necessarily match the addresses of the SA (for transport mode you might not have to add the addresses to the template).
Not sure, but could be related to acquires, that is, if no matching SA has yet been established the information serves as template for the keying daemon when creating a new SA.