3.7.4.2 Inbound Packet

An inbound packet is matched against the SPD after IPsec decapsulation to determine if and how it needs to be treated, as specified in [RFC4301] section 5. The following rules MUST be applied to the packet:

  • If the packet is in Cleartext:

    • If the packet is the first packet for a new flow (for example, an inbound TCP SYN packet):

      If the packet matches an inbound negotiation discovery rule in the SPD, the host MUST accept the packet. Otherwise, the host MUST silently discard the packet.

    • If the packet belongs to an already existing flow:

      If the Secure flag is not set on the flow, the host MUST accept the packet. Otherwise, the host MUST silently discard the packet.

  • If the packet was encapsulated using ESP or authentication header (AH):

    The host MUST set the Secure flag on the flow and process the packet as specified in [RFC4301] section 5.

Regardless of whether the packet is in plaintext, if there is an SA that matches the packet, and its Guaranteed Encryption flag is set, the host MUST set the Guaranteed Encryption flag on the corresponding flow.