NAT traversal clarification?

["Ly Loi" <lll@tahoenetworks.com>]

Hi, draft-huttunen-ipsec-esp-in-udp-01.txt, section 5 "IPSec over NAT
Operation" has the following:
It hits the NAT, and the NAT translates the src address, and source
portcreates an entry for the SPI. When the reply comes back from X, the
NAT maps the SPI from X with the SPI send from A. Now the NAT knows
which internal host to send the packet to, and A gets it. 
Assuming that the text meant to say "... source port, and creates an
entry ...", I'm not sure I understand why we're referring to the SPI
here or how it's being used for the following reasons:
1. the outgoing SA spi differs from the incoming SA spi, so if a spi
entry was created based on an outgoing pkt, this spi entry can't be used
to process an incoming pkt.
2. having NAT look at the spi field violates the requirement that says
NAT should be unaware of IPSEC (or may be I misunderstood the
requirement?)
3. why is the spi needed here to map a pkt to an internal host? isn't
the port mapping sufficient?
Thanks,
- Ly

---

Follow-Ups:

• Re: NAT traversal clarification?
• From: Ari Huttunen <Ari.Huttunen@F-Secure.com>
• Re: NAT traversal clarification?
• From: "jshukla" <jshukla@earthlink.net>

---

• Prev by Date: Re: AES, AES-MAC
• Next by Date: Re: AES, AES-MAC
• Prev by thread: RE: IPSec over L2TP tunnels for Remote users
• Next by thread: Re: NAT traversal clarification?
• Index(es):
  • Main
  • Thread