[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT Traversal
"Chinna N.R. Pellacuru" <pcn@cisco.com> writes:
> The NAT device need not know which SPI is the initiator SPI and which one
> is the responder SPI though. When a NAT device has a pair of SPIs that it
> needs to see whether they belong to a pair, it has to see for the relation
> both ways. So, if we have SPI1 and SPI2, the NAT box will try to see if
> the hash of SPI1 is equal to the half of SPI2, or the hash of SPI2 is
> equal to the half of SPI1. Both of these result in a match.
What do you do if you find multiple matches? Unfortunately this case
can happen with a non-zero probablility due to your limiting the space
to a 16-bit by 16-bit comparison.
> chinna
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com