RE: NAT Traversal

[Saroop Mathur <saroop1@yahoo.com>]

On Mon, 4 Mar 2002, Stephen Kent wrote:

 > At 3:52 PM -0800 3/4/02, Chinna N.R. Pellacuru wrote:
 > >Hi Steve,
 > >
 > >Is it possible that along with the sequence number, we also increase
the
 > >SPI space so that we can use some of the SPI space for NAT
translation.
 > >We could keep the original restrictions on how to pick an SA, or we
need
 > >to come up with elaborate schemes to effectively increase the SPI
space,
 > >like you are attempting to increase the sequence number.
 >
 > I see a problem here. We increased the sequence number size, but
 > didn't transmit the extra (high order) 32 bits!  So, I can't see
 > folks being fond of an increase in SPI size.  It is no accident that
 > the current ESP header is a multiple of both 4 and 8 bytes, using the
 > default integrity algorithm length, specifically to ensure IPv4 and
 > v6 alignment for the payload. Adding 2 bytes for a bigger SPI would
 > break that alignment.

If changing the ESP header bits is an option, then it may make more
sense to include both source and dest SPIs in the header instead of
increasing the SPI size to either 6 or 8 bytes. IP, TCP and UDP include
both src/dest fields. This way the semantics of the entire SPI bits
remain with the entity generating the SPIs while allowing the NAT
devices to allow proper mapping.

In order to maintain 8-byte alignment, the Sequence number can also be
increased to 64 bits. Alternatively SPIs can be increased to 48-bits
and the sequence number bits remain the same.

-Saroop

__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/