[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: Srinivasa Addepalli <srao@intotoinc.com>
Subject: RE: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Mon, 4 Mar 2002 13:46:25 -0800 (PST)
cc: Jayant Shukla <jshukla@trlokom.com>, "'Henrik Levkowetz'" <henrik@ipunplugged.com>, "'ipsec mailling list'" <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.LNX.4.21.0203041049150.32102-100000@intotoinc.com>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 4 Mar 2002, Srinivasa Addepalli wrote:
>   I am not sure whether you can restrict the responder to choose
>   its own SPI. Lot of implementations take advantage of SPI
>   for faster lookups. This is possible if the IPSEC implementation
>   is given chance to choose its own SPI without any limitation.
>   There are some implementations which use all bits of SPI value
>   for different functionalities within the device.

We only place a restriction on half of the SPI for this reason only. We
want the other half to be unresticted for implemenations to still have
some flexibility with picking a SPI for whatever fancy scheme they have.

You should also honor what RFC 2401 says "SAD is indexed by a destination
IP address, IPsec protocol type, and SPI.

         o SPI: the 32-bit value used to distinguish among different
           SAs terminating at the same destination and using the same
           IPsec protocol.
           [REQUIRED for all implementations]

We will be reducing this un-restricted SPI space from 32 bits to 16 bits,
because the other 16 bits are generated based on the SPI that the peer has
picked.

    chinna

Follow-Ups:
- RE: NAT Traversal
  - From: Stephen Kent <kent@bbn.com>

References:
- RE: NAT Traversal
  - From: Srinivasa Addepalli <srao@intotoinc.com>

Prev by Date: RE: Towards closure on NAT traversal.
Next by Date: Re: NAT Traversal
Prev by thread: RE: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread