[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT Traversal
Chinna,
Please see also:
The receiver-orientation of the Security Association implies that, in
the case of unicast traffic, the destination system will normally
select the SPI value. By having the destination select the SPI
value, there is no potential for manually configured Security
Associations to conflict with automatically configured (e.g., via a
key management protocol) Security Associations or for Security
Associations from multiple sources to conflict with each other.
This means that *IN PRACTICE*, the "REQUIRED" verbiage you cite means
very little.
Moreover, the author of 2401 has stated in public on several occasions
without objection that the "REQUIRED" bits will be weakened in a 2401
followon.
> In any case, I think you bring up another point. Probably you in your
> implementation (probably being an "endpoint" IPsec implementation), will
> only deal with a maximum of a couple of IPsec SAs at any time.
Please keep ad-hominem attacks off the list.
The Solaris IPsec implementation handles quite a few more SAs than
that.
- Bill