[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Subject: Re: NAT Traversal
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Wed, 06 Mar 2002 15:44:54 -0500
cc: Paul Koning <pkoning@equallogic.com>, ipsec@lists.tislabs.com
In-Reply-To: Your message of "Wed, 06 Mar 2002 11:36:31 PST." <Pine.GSO.4.33.0203061132590.14106-100000@cypher.cisco.com>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> I agree to your above assertion, and I also want to state that RFC 2401
> REQUIRES all IPsec implementations to search the SA on {dest IP, IPsec
> Protocol, SPI}, and also pretty strongly recommends all IPsec
> implementations to index their SAD by Destination Address, Protocol and
> SPI.

This is not my interpretation of 2401.  2401 says that the receiver
picks the SPI.  A consequence of this is that:

 - the IPsec protocol value *may* be used as part of the lookup but
   there is no requirement that it be used.

 - in the case of unicast traffic, an implementation could assign SPIs
   in such a way that it need not use the destination address to look up the
   SA (however, it might examine the destination address in subsequent
   policy checks).

					- Bill

Follow-Ups:
- Re: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

References:
- RE: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: RE: NAT Traversal
Next by Date: Re: NAT Traversal
Prev by thread: RE: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread