[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT Traversal
At 3:52 PM -0800 3/4/02, Chinna N.R. Pellacuru wrote:
>Hi Steve,
>
>Is it possible that along with the sequence number, we also increase the
>SPI space so that we can use some of the SPI space for NAT translation.
>We could keep the original restrictions on how to pick an SA, or we need
>to come up with elaborate schemes to effectively increase the SPI space,
>like you are attempting to increase the sequence number.
I see a problem here. We increased the sequence number size, but
didn't transmit the extra (high order) 32 bits! So, I can't see
folks being fond of an increase in SPI size. It is no accident that
the current ESP header is a multiple of both 4 and 8 bytes, using the
default integrity algorithm length, specifically to ensure IPv4 and
v6 alignment for the payload. Adding 2 bytes for a bigger SPI would
break that alignment.
>How does the transition happen? If the new ESP ID is placing additional
>restrictions that did not exist originally I think it is fair to ask the
>new ID to accomidate NAT traversal by increasing the SPI space. It's like
>shutting off all the doors for us.
The extended sequence number is an option that is negotiated by IKE
(or its successor), so it is backward compatible with existing
implementations that do not support the extended sequence number
facility.
>
>You bring up another good point about multicast. Frankly, I haven't
>thought about it. I'll have to look at this and get back to you and the
>list.
OK.
Steve