[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: Stephen Kent <kent@bbn.com>
Subject: RE: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Mon, 4 Mar 2002 14:21:17 -0800 (PST)
cc: Srinivasa Addepalli <srao@intotoinc.com>, Jayant Shukla <jshukla@trlokom.com>, "'Henrik Levkowetz'" <henrik@ipunplugged.com>, "'ipsec mailling list'" <ipsec@lists.tislabs.com>
In-Reply-To: <p0510030ab8a99f63a5ba@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 4 Mar 2002, Stephen Kent wrote:

> At 1:46 PM -0800 3/4/02, Chinna N.R. Pellacuru wrote:
> >On Mon, 4 Mar 2002, Srinivasa Addepalli wrote:
> >>    I am not sure whether you can restrict the responder to choose
> >>    its own SPI. Lot of implementations take advantage of SPI
> >>    for faster lookups. This is possible if the IPSEC implementation
> >>    is given chance to choose its own SPI without any limitation.
> >>    There are some implementations which use all bits of SPI value
> >>    for different functionalities within the device.
> >
> >We only place a restriction on half of the SPI for this reason only. We
> >want the other half to be unresticted for implemenations to still have
> >some flexibility with picking a SPI for whatever fancy scheme they have.
> >
> >You should also honor what RFC 2401 says "SAD is indexed by a destination
> >IP address, IPsec protocol type, and SPI.
> >
> >          o SPI: the 32-bit value used to distinguish among different
> >            SAs terminating at the same destination and using the same
> >            IPsec protocol.
> >            [REQUIRED for all implementations]
> >
> >We will be reducing this un-restricted SPI space from 32 bits to 16 bits,
> >because the other 16 bits are generated based on the SPI that the peer has
> >picked.
> >
> >     chinna
>
> Chinna,
>
> Just a few notes re this discussion:
>
> 	- the revised ESP/AH documents emphasize that an IPsec
> implementation need not use the protocol type for SPI
> differentiation. so, if one starts assuming this is true, it will be
> yet another conflict with the IPsec specs

Curious what are the reasons for removing this restriction, and what are
the cons of still reqiring that this restriction apply.

>
> 	- similarly, an IPsec implementation does not need to use the
> dest IP address as part of the SPI lookup, unless that address is for
> a multicast group.
>

Here also, curious why that it is not required anymore to have dest IP
address as part of SPI lookup.

> 	- do I understand correctly that you are suggesting a change
> to the specs to reduce the effective SPI space by a factor of 65K?
> is everyone comfortable with this?
>
> Steve
>

I am suggesting that the original concept of IPsec SA being identified by
a tuple: destination IP, protocol, SPI be required, and within the SPI add
new semantics for picking a SPI on the phase2 responder.

    thanks,
    chinna

Follow-Ups:
- Re: NAT Traversal
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>
- RE: NAT Traversal
  - From: Stephen Kent <kent@bbn.com>

References:
- RE: NAT Traversal
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: NAT Traversal
Next by Date: Re: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread