[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: Derek Atkins <derek@ihtfp.com>
Subject: Re: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Thu, 7 Mar 2002 11:41:54 -0800 (PST)
cc: Stephen Kent <kent@bbn.com>, ipsec mailling list <ipsec@lists.tislabs.com>
In-Reply-To: <sjmadtkw6s4.fsf@kikki.mit.edu>
Sender: owner-ipsec@lists.tislabs.com

On 7 Mar 2002, Derek Atkins wrote:

> "Chinna N.R. Pellacuru" <pcn@cisco.com> writes:
>
> > If someone has just one IP address to use as his local endpoint, then
> > probably 64K IPsec connections is more than enough for him. That box has
> > to first be able to handle so many IPsec connections.
>
> You are missing one thing.  Yes, there is a potential to hold 64k
> connections, except by the birthday paradox you will get a hash
> collision after 256 connections.  Don't you think that 256 connections
> is too few?
>
> -derek
>

Yes, I stumped on the "birthday paradox". Thanks to Paul and you too for
pointing that out.

Hey, I haven't given out the full details of my "hash function". I think
we should be more careful and not to pick a real hash fuction :-)

A hash fuction could just be: output the last two bytes of the SPI,
assuming that the SPI was generated randomly or atleast the last two
bytes of the initiator SPI was generated randomly.

I would like to request help in coming up with a good hash function for
this specific purpose. I am still waiting on the help in general that I
requested earlier too.

    thanks,
    chinna

chinna narasimha reddy pellacuru
s/w engineer

References:
- Re: NAT Traversal
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: RE: Choosing between IKEv2 and JFK
Next by Date: Re: Choosing between IKEv2 and JFK
Prev by thread: Re: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread