[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT Traversal
On Thu, 7 Mar 2002, Chinna N.R. Pellacuru wrote:
> On Thu, 7 Mar 2002, Chinna N.R. Pellacuru wrote:
>
> > On Wed, 6 Mar 2002, Stephen Kent wrote:
> >
> > > That minimal or non-existent impact stands in stark contrast to a
> > > proposal to reduce the space by a factor of 65K.
> > >
> > > Steve
> > >
> >
> > Point taken. We propose to folks who want to use our proposal to reduce
> > the SPI space by 16 bits, but not give up their flexibility of using
> > different tunnel endpoints to demux incoming ESP/AH traffic.
> >
>
> That way people can use a SPI as:
>
> SPI: the 16-bit value used to distinguish among different
> SAs terminating at the same destination and using the same
> IPsec protocol.
>
> The tunnel endpoint discussion is a different one than this one. So, for
> each peer an IPsec implementation is peering with, we can still have 64k
> SPIs that are generated locally.
>
> So, an IPsec implementation is in no way restricted to a total of 64k
> total SPIs but are restricted to a total of 64k SPIs to a particular peer
> (a particular remote tunnel endpoint).
>
OK, for each local tunnel endpoint, we are restricted to 64k SPIs, and it
may be more depending what hash function is used to generate the other
half.
chinna