[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Subject: RE: NAT Traversal
From: Stephen Kent <kent@bbn.com>
Date: Mon, 4 Mar 2002 18:22:50 -0500
Cc: Srinivasa Addepalli <srao@intotoinc.com>, Jayant Shukla <jshukla@trlokom.com>, "'Henrik Levkowetz'" <henrik@ipunplugged.com>, "'ipsec mailling list'" <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.33.0203041415560.23950-100000@cypher.cisco.com>
References: <Pine.GSO.4.33.0203041415560.23950-100000@cypher.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Chinna,

Reasonable questions. Let me try to provide some history and explain 
the motivations for the clarifications:

	<SNIP>

>
>  > Just a few notes re this discussion:
>>
>>	- the revised ESP/AH documents emphasize that an IPsec
>>  implementation need not use the protocol type for SPI
>>  differentiation. so, if one starts assuming this is true, it will be
>>  yet another conflict with the IPsec specs
>
>Curious what are the reasons for removing this restriction, and what are
>the cons of still reqiring that this restriction apply.

There was never a real need to use the protocol type and, in fact, 
one IPsec device generally cannot tell if its peer is or is not using 
the protocol type for SPI demuxing. We got feedback over the last 2 
years from vendors asking us to revise the description to better 
reflect what they tended to do, and which in no way detracted from 
interoperability.

As for the destination address, this was a result of poor wording, 
i.e., we never needed this for demuxing, except for multicast, but we 
did a very poor job of saying that.  Again, we have gotten feedback 
from vendors who didn't understand why this "requirement" was 
imposed, and so we explained under what circumstances one really 
needs to use the dest addr for SPI demuxing.

>
>>
>>	- similarly, an IPsec implementation does not need to use the
>>  dest IP address as part of the SPI lookup, unless that address is for
>>  a multicast group.
>>
>
>Here also, curious why that it is not required anymore to have dest IP
>address as part of SPI lookup.

It never was needed, as noted above, except for multicast. It is 
needed for multicast only because in that case the receiver does NOT 
select the SPI, i.e., the multicast controller does.  If you propose 
to impose restrictions on SPI generation, you should take into 
account the multicast case as well.  The MSEC WG is getting close to 
promulgating standards that will support the simple case,  single 
sender, multiple receivers, so we should be careful to not do 
anything that will interfere with that work.

>
>>	- do I understand correctly that you are suggesting a change
>>  to the specs to reduce the effective SPI space by a factor of 65K?
>>  is everyone comfortable with this?
>>
>>  Steve
>>
>
>I am suggesting that the original concept of IPsec SA being identified by
>a tuple: destination IP, protocol, SPI be required, and within the SPI add
>new semantics for picking a SPI on the phase2 responder.

The new ESP ID, published before the December IETF, clarified the SPI 
demuxing description. We have received feedback on the ID, and nobody 
has voiced any objections to this revised SPI demuxing description. 
There appear to be no "cons" to the new wording. The "pros" are that 
IPsec implementations need not spend cycles matching additional 
fields in inbound IPsec headers that are not needed to demux SAs, 
which potentially improves performance.  As people develop high speed 
IPsec implementations (note the extended sequence number option is 
motivated by the need to support multi-gigabit IPsec speeds), using 
fewer inputs to SA selection for inbound traffic reduces costs (e.g., 
narrower CAMs).

Steve

Follow-Ups:
- RE: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
- RE: NAT Traversal
  - From: Paul Koning <pkoning@equallogic.com>

References:
- RE: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: RE: NAT Traversal
Next by Date: RE: NAT Traversal
Prev by thread: RE: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread