If we take an example of the Linux ip xfrm command:
ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
What does the tmpl do?
UPDATE: Of course, I understand we need to specify the $SRC and $DST. But, since those are already specified in the SA, via the ip xfrm state command, why do we need to repeat them in the tmpl? And what is the meaning of calling it a "template"? To me, it seems its just a pointer to a preexisting SA (state).
Best Answer
It tells the kernel how to process packets (for
outpolicies), or where packets must come from (forinpolicies) when traffic matches this policy (fwdpolicies are a bit special as they might apply in both directions depending on the selector, see this answer). In your example the policy will send traffic through the ESP tunnel mode SA with endpoint IP addresses$SRCand$DST, and reqid$ID.To actually find the SA/state. These are stored in a hashtable and the addresses (in particular the destination address) are part of the hash value. For tunnel mode SAs the addresses of the packet that matched the outbound policy don't necessarily match the addresses of the SA (for transport mode you might not have to add the addresses to the template).
Not sure, but could be related to acquires, that is, if no matching SA has yet been established the information serves as template for the keying daemon when creating a new SA.