Note that usual way to implement SKIP is via
intermediate module inserted below standard IP driver.
Unless SKIP is not embedded in IP driver itself (100% cases;-)
you may always assume that ACL will be processed before giving
a packet to IP level.
Note as well that enabling forwarding on a SKIP interface without
support of sophisticated policy management is a dangerous practice
though it should not be possible in most existing standalone SKIP
implementations (just guessing ;-).
When you are talking about 'forwarding' I suspect that your
case (with quad Ethernet card) rather refers to the 'routing'.
Look on Sun WWW page, they have SunScreen EFS product that might
solve your problems.
--Alexei
-----Original Message-----
From: Rafael D'Halleweyn <[EMAIL PROTECTED]>
To: SKIP List <[EMAIL PROTECTED]>
Date: 8 ������� 1998 �. 17:22
Subject: SunScreen SKIP and forwarding
:
:Hi,
:
:I am using SunScreen SKIP on several SUN machines (Solaris 2.6,
:Ultra2 en Ultra5). These machines are located on different
:networks. The Ultra2 machines have quad ethernet cards and are
:connected to the different networks.
:
:Without SKIP installed on the Ultra2s, I can use these machines to
:do IP-forwarding between the networks (I can also forward SKIP
:traffic through these non-SKIP machines). This is how I would
:expect it to work.
:
:When I install SKIP on a Ultra2 it fails to forward traffic. What
:happens? Well the Ultra2 first tries to match the incoming traffic
:against the ACL for that interface. If the incoming traffic does
:not match the ACL (encryption/clear text, wrong keys...) it drops
:the packet. This happens, even if the packet is not addressed to
:the Ultra2.
:
:So it seems that with SKIP installed, the OS checks the ACL before
:deciding to forward or not. It seems that this order should be
:inverted.
:
:Does anybody know how this set-up can be handled correctly?
:
:Thanks,
:
:--
:Raf D'Halleweyn
:
:
:
