RE: NAT Traversal

["Chinna N.R. Pellacuru" <pcn@cisco.com>]

On Mon, 4 Mar 2002, Paul Koning wrote:
> >>>>> "Chinna" == Chinna N R Pellacuru <pcn@cisco.com> writes:
>
>  Chinna> And considering the fact that an IPsec SA is identified by
>  Chinna> the tuple: Destination, Protocol and SPI, the probability of
>  Chinna> a collision is even lower, and for all practical purposes
>  Chinna> zero.
>
> But we're talking about NAT.  NAT hides addresses behind it and makes
> everything look like a single address.
>
> So in the context of NAT (at the other end) you have lots of SAs from
> the same address, and of course the protocol is constant (50).
>

I think that there seems to be a big problem with people who want to only
casually look at this problem of NAT and IPsec. I think that these casual
observers tend to assume that any and every possible scenario of NATs and
IPsec will work with some solution. You'll have to first take the time to
understand what is feasible, and what is not. Once you have come up with a
set of scenarios in which it is feasible to solve this problem, then you
have to pick a technique that will only work in those scenarios.

Now, given that, please let me know what scenario are you particularly
interested in, and I can try and see if our solution will work. Without
the details, I don't know what you are talking about. Lets not try and
talk about NAT and IPsec in general, because I think both of these
protocols are very complex individually, and once you combine them, they
tend to become intractable.

    chinna