[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT Traversal
On Mon, 4 Mar 2002, Srinivasa Addepalli wrote:
> I am not sure whether you can restrict the responder to choose
> its own SPI. Lot of implementations take advantage of SPI
> for faster lookups. This is possible if the IPSEC implementation
> is given chance to choose its own SPI without any limitation.
> There are some implementations which use all bits of SPI value
> for different functionalities within the device.
We only place a restriction on half of the SPI for this reason only. We
want the other half to be unresticted for implemenations to still have
some flexibility with picking a SPI for whatever fancy scheme they have.
You should also honor what RFC 2401 says "SAD is indexed by a destination
IP address, IPsec protocol type, and SPI.
o SPI: the 32-bit value used to distinguish among different
SAs terminating at the same destination and using the same
IPsec protocol.
[REQUIRED for all implementations]
We will be reducing this un-restricted SPI space from 32 bits to 16 bits,
because the other 16 bits are generated based on the SPI that the peer has
picked.
chinna