The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
In the context of packet-based communication networks, a security policy database (SPD) specifies the services that may be applied to data packets. Examples of security services include encapsulating a packet or discarding a packet. A SPD is typically consulted for each packet prior to transmittal of the packet. The SPD is searched based on a set of one or more attributes of a packet (i.e., “attribute keys or selectors”). A match is found if the packet possesses attributes that satisfy the constraints of some set of attribute key(s) or selectors in the SPD. Representative attribute keys include: (1) destination IP address, (2) source IP address, (3) protocol, (4) destination port, (5) source port and/or (6) other non-volatile or attributes of a packet. If a match is found, the SPD will specify the processing that is required to be applied to the packet. For example, the SPD may specify that (1) the packet should be discarded and not allowed to be transmitted further, (2) the packet may be transmitted without undergoing IPsec processing, or (3) the packet must undergo processing (e.g., security services), such as IPsec processing, prior to transmittal.
As stated above, if the SPD specifies that the packet must undergo processing prior to transmittal, the SPD will further specify the types of processing that are required to be applied to the packet. For example, the SPD could specify that the packet is to be encapsulated. If a SPD entry specifies that a packet having a certain attribute or set of attributes requires encapsulation, the encapsulation is performed on the packet to create an encapsulated packet. However, in light of an attribute or set of attributes of the encapsulated packet, the SPD may require further processing of the encapsulated packet (e.g., the encapsulated packet may also need to be encapsulated). As such, after the packet is encapsulated, the SPD must be searched again to determine if the SPD requires further processing of the encapsulated packet. In some instances, packets may need to be encapsulated many times, referred to as nested encapsulation. Performing nested encapsulation in this manner may consume a significant amount of computational and storage resources and time, particularly when a SPD is large.
Based on the foregoing, an approach for performing nested encapsulation in networks that does not suffer from the limitations of conventional approaches is highly desirable.