[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Subject: Re: NAT Traversal
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Mon, 04 Mar 2002 18:11:15 -0500
cc: Stephen Kent <kent@bbn.com>, Srinivasa Addepalli <srao@intotoinc.com>, Jayant Shukla <jshukla@trlokom.com>, "'Henrik Levkowetz'" <henrik@ipunplugged.com>, "'ipsec mailling list'" <ipsec@lists.tislabs.com>
In-Reply-To: Your message of "Mon, 04 Mar 2002 14:21:17 PST." <Pine.GSO.4.33.0203041415560.23950-100000@cypher.cisco.com>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> I am suggesting that the original concept of IPsec SA being identified by
> a tuple: destination IP, protocol, SPI be required, and within the SPI add
> new semantics for picking a SPI on the phase2 responder.

I strongly object.

UDP encapsulation works JUST FINE to get through NATs which aren't
trying to be too clever (and it appears that there are other
workarounds to deal with overly-clever NATs).

There's no need to introduce potential vulnerabilities/points of
collision/etc. elsewhere in the system.

						- Bill

Follow-Ups:
- RE: NAT Traversal
  - From: "Jayant Shukla" <jshukla@trlokom.com>
- RE: NAT Traversal
  - From: "Henrik Levkowetz" <henrik@ipunplugged.com>

References:
- RE: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: JFK Algorithm Choice
Next by Date: ikev2 DOS protection mechanisms
Prev by thread: RE: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread