[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: pcn@cisco.com
Subject: RE: NAT Traversal
From: Paul Koning <pkoning@equallogic.com>
Date: Tue, 5 Mar 2002 20:06:39 -0500
Cc: ipsec@lists.tislabs.com
References: <15493.19131.377227.690909@pkoning.dev.equallogic.com><Pine.GSO.4.33.0203051452081.9693-100000@cypher.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Excerpt of message (sent 5 March 2002) by Chinna N.R. Pellacuru:
> On Tue, 5 Mar 2002, Paul Koning wrote:
> 
> > >>>>> "Chinna" == Chinna N R Pellacuru <pcn@cisco.com> writes:
> >
> >  Chinna> We based our design on what the RFC 2401 says:
> >
> >  Chinna> " o SPI: the 32-bit value used to distinguish among different
> >  Chinna> SAs terminating at the same destination and using the same
> >  Chinna> IPsec protocol.  [REQUIRED for all implementations] "
> >
> >  Chinna> So, RFC 2401 is wrong?
> >
> > No.  But you missed something.
> >
> > RFC 2401 gives the receiving end of an SA full authority over the SPI
> > value.  It requires that the SPI values must be unique for a given
> > protocol and remote destination.  That's the minimum required for
> > demuxing to work.
> >
> > But it does NOT require that SPI values be reused among SAs that have
> > different protocol or destination!
> 
> "[REQUIRED for all implementations]"
> 
> >
> > If you had a wide CAM, or fast hash lookup of wide keys, you can reuse
> > SPI values and lookup on the {address,SPI,protocol} triple.
> 
> "[REQUIRED for all implementations]"
> ...

Judging by the tone of your note, I am probably wasting my time, but I
will make one more attempt to explain this to you.

Look in RFC 2401, page 46:

        ... An SPI has only local significance, as defined by
        the creator of the SA (usually the receiver of the packet
        carrying the SPI); thus an SPI is generally viewed as an opaque
        bit string.  However, the creator of an SA may choose to
        interpret the bits in an SPI to facilitate local processing.

(The "usually" refers to the exception case of manual SAs, where
management chooses the SPI.)

The creator of the SA -- the receiver for that SA, in the case of
dynamic SAs -- may choose the bits of the SPI to facilitate local
processing.  One such choice is to make the SPI values unique across
all SAs in the box.  It can do that because SPI values have local
significance -- anyone outside the box is explicitly NOT allowed to
interpret the bits of the SPI and assume they have any particular
meaning.  So long as the values are chosen such that the receiver can
identify the correct SA, the implementation conforms with the
requirement that you keep quoting ad nauseam.

Clearly, if the SPI alone is sufficient to identify the SA, then the
triple SPI/address/protocol is also sufficient. 

       paul

Follow-Ups:
- RE: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

References:
- RE: NAT Traversal
  - From: Paul Koning <pkoning@equallogic.com>
- RE: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: RE: Towards closure on NAT traversal.
Next by Date: RE: Towards closure on NAT traversal.
Prev by thread: RE: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread