[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal



Chinna,

Please see also:

   The receiver-orientation of the Security Association implies that, in
   the case of unicast traffic, the destination system will normally
   select the SPI value.  By having the destination select the SPI
   value, there is no potential for manually configured Security
   Associations to conflict with automatically configured (e.g., via a
   key management protocol) Security Associations or for Security
   Associations from multiple sources to conflict with each other. 

This means that *IN PRACTICE*, the "REQUIRED" verbiage you cite means
very little.

Moreover, the author of 2401 has stated in public on several occasions
without objection that the "REQUIRED" bits will be weakened in a 2401
followon.

> In any case, I think you bring up another point. Probably you in your
> implementation (probably being an "endpoint" IPsec implementation), will
> only deal with a maximum of a couple of IPsec SAs at any time. 

Please keep ad-hominem attacks off the list.

The Solaris IPsec implementation handles quite a few more SAs than
that.


						- Bill