Before you configure DNE, it is important to understand how DNE processes network packets that are transmitted between two endpoints in an NSX-T deployment.

Matching Packets to Rules

Each packet is evaluated according to the configured encryption rules. Encryption rules are applied sequentially, starting with the first rule in the first section. If the packet does not match the criteria in the first rule, then the next rule is applied, and so on.

  • When an encryption rule matches the packet, then the action configured for that encryption rule is taken on the packet, and no further encryption rules are applied.

  • If all the rules are applied and no match is found, then no action will be applied to the packet. It is allowed to pass through as is.

Rule sequence is therefore important. If a packet matches multiple encryption rules, the packet is handled by the action in the first matching encryption rule. All other encryption rules are ignored. Therefore, carefully consider the ordering of sections and rules.

Checking the Integrity of a Packet

If the packet matches an encryption rule and the rule action is Check Integrity Only , then DNE checks the integrity of the packet (to determine whether the packet has been tampered with). The packet passes only if the integrity of the packet has been confirmed; otherwise, the packet is dropped.

Authenticating and Encrypting a Packet

If the packet matches a rule and the rule action is Encrypt and Check Integrity:

  • On the transmission side, DNE encrypts the packet (to conceal its contents) with the key corresponding to the Key Policy associated with the encryption rule.

  • On the receiving side, DNE decrypts the packet and performs the integrity check. The packet passes only if encryption/decryption succeeds and the integrity of the packet has been confirmed; otherwise, the packet is dropped.

Allowing a Packet to Pass

If the packet matches a rule and the rule action is Allow in Clear , then the packet passes with no action.

Dropping a Packet

The packet is also dropped:

  • If the host doesn’t have the key.

  • If there is a mismatch in the action (for example, a packet arrives in plain text and matches a Rule that has Encrypt as the Action).