[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Subject: Re: NAT Traversal
From: Derek Atkins <derek@ihtfp.com>
Date: 04 Mar 2002 17:22:19 -0500
Cc: Bill Sommerfeld <sommerfeld@east.sun.com>, Paul Koning <pkoning@equallogic.com>, <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.33.0203041359380.23950-100000@cypher.cisco.com>
References: <Pine.GSO.4.33.0203041359380.23950-100000@cypher.cisco.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

"Chinna N.R. Pellacuru" <pcn@cisco.com> writes:

> The NAT device need not know which SPI is the initiator SPI and which one
> is the responder SPI though. When a NAT device has a pair of SPIs that it
> needs to see whether they belong to a pair, it has to see for the relation
> both ways. So, if we have SPI1 and SPI2, the NAT box will try to see if
> the hash of SPI1 is equal to the half of SPI2, or the hash of SPI2 is
> equal to the half of SPI1. Both of these result in a match.

What do you do if you find multiple matches?  Unfortunately this case
can happen with a non-zero probablility due to your limiting the space
to a 16-bit by 16-bit comparison.

>     chinna

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

References:
- Re: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: RE: NAT Traversal
Next by Date: RE: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread