[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: Saroop Mathur <saroop1@yahoo.com>
Subject: RE: NAT Traversal
From: Stephen Kent <kent@bbn.com>
Date: Tue, 5 Mar 2002 12:16:53 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <20020305031542.48150.qmail@web10402.mail.yahoo.com>
References: <20020305031542.48150.qmail@web10402.mail.yahoo.com>
Sender: owner-ipsec@lists.tislabs.com

At 7:15 PM -0800 3/4/02, Saroop Mathur wrote:
>On Mon, 4 Mar 2002, Stephen Kent wrote:
>
>  > At 3:52 PM -0800 3/4/02, Chinna N.R. Pellacuru wrote:
>  > >Hi Steve,
>  > >
>  > >Is it possible that along with the sequence number, we also increase
>the
>  > >SPI space so that we can use some of the SPI space for NAT
>translation.
>  > >We could keep the original restrictions on how to pick an SA, or we
>need
>  > >to come up with elaborate schemes to effectively increase the SPI
>space,
>  > >like you are attempting to increase the sequence number.
>  >
>  > I see a problem here. We increased the sequence number size, but
>  > didn't transmit the extra (high order) 32 bits!  So, I can't see
>  > folks being fond of an increase in SPI size.  It is no accident that
>  > the current ESP header is a multiple of both 4 and 8 bytes, using the
>  > default integrity algorithm length, specifically to ensure IPv4 and
>  > v6 alignment for the payload. Adding 2 bytes for a bigger SPI would
>  > break that alignment.
>
>If changing the ESP header bits is an option, then it may make more
>sense to include both source and dest SPIs in the header instead of
>increasing the SPI size to either 6 or 8 bytes. IP, TCP and UDP include
>both src/dest fields. This way the semantics of the entire SPI bits
>remain with the entity generating the SPIs while allowing the NAT
>devices to allow proper mapping.

Please reread my comments. We explicitly did NOT change the header to 
accommodate the extra sequence number bits.  Also, the reasons that 
IP, TCP and UDP include both source and destination addresses and/or 
port fields has to do with the model for demuxing that they adopted 
(>25 years ago). We articulated an approach to demuxing for ESP/AH 
that is different, and more space efficient. We have different modes 
here.

>In order to maintain 8-byte alignment, the Sequence number can also be
>increased to 64 bits. Alternatively SPIs can be increased to 48-bits
>and the sequence number bits remain the same.
>
>-Saroop

If one wanted to increase the size of the header and maintain 8-byte 
alignment, there are many ways to do that. But I don't think the 
IPsec community has expressed a general desire to double the header 
size for all traffic, as a means of reducing the overhead for NAT 
traversal.

Steve

References:
- RE: NAT Traversal
  - From: Saroop Mathur <saroop1@yahoo.com>

Prev by Date: ICON2002 - Call-For-Papers Deadline Extension
Next by Date: Re: NAT Traversal
Prev by thread: RE: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread