[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: Stephen Kent <kent@bbn.com>
Subject: RE: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Thu, 7 Mar 2002 10:09:42 -0800 (PST)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.33.0203070906250.27757-100000@cypher.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 7 Mar 2002, Chinna N.R. Pellacuru wrote:

> On Thu, 7 Mar 2002, Chinna N.R. Pellacuru wrote:
>
> > On Wed, 6 Mar 2002, Stephen Kent wrote:
> >
> > > That minimal or non-existent impact stands in stark contrast to a
> > > proposal to reduce the space by a factor of 65K.
> > >
> > > Steve
> > >
> >
> > Point taken. We propose to folks who want to use our proposal to reduce
> > the SPI space by 16 bits, but not give up their flexibility of using
> > different tunnel endpoints to demux incoming ESP/AH traffic.
> >
>
> That way people can use a SPI as:
>
>            SPI: the 16-bit value used to distinguish among different
>            SAs terminating at the same destination and using the same
>            IPsec protocol.
>
> The tunnel endpoint discussion is a different one than this one. So, for
> each peer an IPsec implementation is peering with, we can still have 64k
> SPIs that are generated locally.
>
> So, an IPsec implementation is in no way restricted to a total of 64k
> total SPIs but are restricted to a total of 64k SPIs to a particular peer
> (a particular remote tunnel endpoint).
>

OK, for each local tunnel endpoint, we are restricted to 64k SPIs, and it
may be more depending what hash function is used to generate the other
half.

    chinna

References:
- RE: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: Re: JFK ID payload
Next by Date: Re: Choosing between IKEv2 and JFK
Prev by thread: RE: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread