[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: Derek Atkins <derek@ihtfp.com>
Subject: Re: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Mon, 4 Mar 2002 14:28:03 -0800 (PST)
cc: Bill Sommerfeld <sommerfeld@east.sun.com>, Paul Koning <pkoning@equallogic.com>, <ipsec@lists.tislabs.com>
In-Reply-To: <sjm3czgezxg.fsf@kikki.mit.edu>
Sender: owner-ipsec@lists.tislabs.com

On 4 Mar 2002, Derek Atkins wrote:

> "Chinna N.R. Pellacuru" <pcn@cisco.com> writes:
>
> > The NAT device need not know which SPI is the initiator SPI and which one
> > is the responder SPI though. When a NAT device has a pair of SPIs that it
> > needs to see whether they belong to a pair, it has to see for the relation
> > both ways. So, if we have SPI1 and SPI2, the NAT box will try to see if
> > the hash of SPI1 is equal to the half of SPI2, or the hash of SPI2 is
> > equal to the half of SPI1. Both of these result in a match.
>
> What do you do if you find multiple matches?  Unfortunately this case
> can happen with a non-zero probablility due to your limiting the space
> to a 16-bit by 16-bit comparison.
>

Let's take a case in which you think will have the highest probability of
this happening, and then we can come up with a resonable estimate of the
probability of that happening.

It is hard to come up with the probability of this happening in general
for all case and all scenarios. So, let's take the worst case (atleast
what we think is the worst case), and analyse the probabilities.

I agree that the probability is non-zero. When this happens, we would have
to drop the traffic. NAT itself is not a very deterministic process, and
so we should be willing to have some non-determinism in the total
solution.

    chinna

References:
- Re: NAT Traversal
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: RE: NAT Traversal
Next by Date: RE: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread