[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: Paul Koning <pkoning@equallogic.com>
Subject: RE: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Wed, 6 Mar 2002 11:36:31 -0800 (PST)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <15494.19543.762000.134095@gargle.gargle.HOWL>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 6 Mar 2002, Paul Koning wrote:

> Excerpt of message (sent 5 March 2002) by Chinna N.R. Pellacuru:
> > Same here. I'll also try and make one last attempt to try and convince you
> > that RFC2401 pretty strongly recomments that the IPsec SA be picked on
> > {dest IP, IPsec protocol, SPI}.
>
> There is absolutely nothing in any RFC that requires an IPsec
> implementation to allow the existence of two inbound SAs for
> <DA1,Prot1,SPI1> and <DA2,Prot2,SPI2> where DA1 != DA2 || Prot1 != Prot2
> such that SPI1 == SPI2.  Yes, that's allowed, no, it's not required.

I just want to make sure that there is no technical content in this
discussion anymore.

We are down to the phase where are trying to figure out what the meaning
of "is" is.

I agree to your above assertion, and I also want to state that RFC 2401
REQUIRES all IPsec implementations to search the SA on {dest IP, IPsec
Protocol, SPI}, and also pretty strongly recommends all IPsec
implementations to index their SAD by Destination Address, Protocol and
SPI.

Do you agree to this?

    chinna

Follow-Ups:
- Re: NAT Traversal
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>
- RE: NAT Traversal
  - From: Paul Koning <pkoning@equallogic.com>

References:
- RE: NAT Traversal
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: JFK Algorithm Choice
Next by Date: RE: NAT Traversal
Prev by thread: RE: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread