[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: Bill Sommerfeld <sommerfeld@east.sun.com>
Subject: Re: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Mon, 4 Mar 2002 14:05:28 -0800 (PST)
cc: Paul Koning <pkoning@equallogic.com>, <ipsec@lists.tislabs.com>
In-Reply-To: <200203042154.g24LsdUZ011315@ack.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 4 Mar 2002, Bill Sommerfeld wrote:

> "responder SPI as a hash of the initiator's SPI"?
>
> Which initiator? phase 1 initiator?  phase 2 initiator?
>
> When a rekey occurs, the initiator and responder roles can be swapped.
>

Yes, good point. We are referring to the phase2 initiator.

The NAT device need not know which SPI is the initiator SPI and which one
is the responder SPI though. When a NAT device has a pair of SPIs that it
needs to see whether they belong to a pair, it has to see for the relation
both ways. So, if we have SPI1 and SPI2, the NAT box will try to see if
the hash of SPI1 is equal to the half of SPI2, or the hash of SPI2 is
equal to the half of SPI1. Both of these result in a match.

    chinna

Follow-Ups:
- Re: NAT Traversal
  - From: Derek Atkins <derek@ihtfp.com>

References:
- Re: NAT Traversal
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: RE: NAT Traversal
Next by Date: RE: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread