[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal



Just to clarify what Chinna was talking about was that as far as NAT is
concerned the 2 traffic types - IKE and ESP are independent although the SPI
exchange for ESP takes place via IKE. Since they are encrypted within IKE,
NAT can mux/demux those connections independently. One problem NAT
encounters is serializing of connections till both inbound and outbound SPIs
are known to NAT. I am working for a company which lives on existence of
such boxes. And one big drawback is NAT not knowing this information apriori
or through a formula. I don't want to get into the debate of what is better
- SPI magic formula or UDP encapsulation. This is for the research community
to hash out. But NAT is not malicious and actually wants to facilitate IPsec
connections through it for multiple users behind it. IKE itself is so
unreliable that it just makes life hell for a programmer. We have tried so
many implementations like floating source ports and cookie tracking, but
interoperability and reliability is always an issue. Hopefully you guys can
churn out something that is reliable and robust to make life easy for our
friendly, n'hood NAT.

-Bik

> -----Original Message-----
> From: Henry Spencer [mailto:henry@spsystems.net]
> Sent: Monday, March 04, 2002 10:18 AM
> To: Chinna N.R. Pellacuru
> Cc: 'ipsec mailling list'
> Subject: RE: NAT Traversal
> 
> 
> On Mon, 4 Mar 2002, Chinna N.R. Pellacuru wrote:
> > SPI is an IPsec parameter as opposed to IKE. In almost all 
> implementations
> > the SPI space is managed by the IPsec implementation (if we 
> divide IPsec
> > into IPsec implementation and IKE).
> 
> Note that not all implementations support such a division.  
> Some use the
> IKE daemon for general IPsec policy/management as well, in 
> which case it
> may be assigning the SPIs. 
> 
>                                                           
> Henry Spencer
>                                                        
> henry@spsystems.net
>