Ipsec rules are searched in order from rules containing the most
specificity to those containing the least specificity of attributes. The
static rules include placeholders for sets of dynamic rules. Dynamic rules
are searched only if a placeholder is the first matching rule in the
static table. Sets of dynamic rules are partitioned into separate groups.
Within each group there is no rule order dependence. Each such group is
searched with an enhanced search mechanism, such as a search tree. For
connection oriented protocols, security rule binding information is stored
in association with the connection. This allows the searching of the rules
to be performed only when a connection is first established. If a static
or dynamic rule is changed during a connection, a search is repeated. For
selected connectionless protocols, packets are treated as if they were
part of a simulated connection. A pseudo-connection memory block is
allocated with the creation of each socket and Ipsec security binding
information is stored in the pseudo-connection memory block on a first
packet.
