[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT Traversal
> I agree to your above assertion, and I also want to state that RFC 2401
> REQUIRES all IPsec implementations to search the SA on {dest IP, IPsec
> Protocol, SPI}, and also pretty strongly recommends all IPsec
> implementations to index their SAD by Destination Address, Protocol and
> SPI.
This is not my interpretation of 2401. 2401 says that the receiver
picks the SPI. A consequence of this is that:
- the IPsec protocol value *may* be used as part of the lookup but
there is no requirement that it be used.
- in the case of unicast traffic, an implementation could assign SPIs
in such a way that it need not use the destination address to look up the
SA (however, it might examine the destination address in subsequent
policy checks).
- Bill