"Scott G. Kelly" <skelly@SonicWALL.com> wrote:
Saroop Mathur wrote:
> If changing the ESP header bits is an option, then it may make more
> sense to include both source and dest SPIs in the header instead of
> increasing the SPI size to either 6 or 8 bytes. IP, TCP and UDP include
> both src/dest fields. This way the semantics of the entire SPI bits
> remain with the entity generating the SPIs while allowing the NAT
> devices to allow proper mapping.
>
> In order to maintain 8-byte alignment, the Sequence number can also be
> increased to 64 bits. Alternatively SPIs can be increased to 48-bits
> and the sequence number bits remain the same.
One obvious problem with changing the ESP header is that it does not
contain a version number. Hence, an intermediary (such as a nat box)
would have difficulty determining what it was looking at. I don't think
changing the ESP header is seriously up for consideration here.
Scott
without taking any sides on the NAT issue and whether ESP header should be modified or not -
would like to point out the lack of a version number issue can be worked around by using reserved SPI values to indicate a new header is being used - however it will waste 3 bytes of ESP header - definitely not efficient.
If ESP header is made transparent to NAT intermediaries by encapsulation, then the format of the ESP header need to be known only to the end-points. The format and version of the ESP header can then be determined during SA setup protocol.
-- sankar --