[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Subject: RE: NAT Traversal
From: Stephen Kent <kent@bbn.com>
Date: Fri, 8 Mar 2002 11:52:57 -0500
Cc: "'ipsec mailling list'" <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.33.0203070747440.9072-100000@cypher.cisco.com>
References: <Pine.GSO.4.33.0203070747440.9072-100000@cypher.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 8:15 AM -0800 3/7/02, Chinna N.R. Pellacuru wrote:
	<SNIP>
>
>Elswehere the RFC alludes to that,
>>  noting that any structure associated with the SPI up to the receiver,
>>  while the transmitter must view the SPI as opaque. Does your proposal
>>  require that a receiver coordinate with a NAT device in constructing
>>  an SPI? If so, that arguably violates the SPI model embodied in 2401.
>>
>
>IMHO, a NAT device is not an IPsec device, and the NAT device is not a
>receiver of the SPI. The NAT device is only trying to translate ESP
>traffic by *looking* at the SPIs in both directions.
>
>Our scheme suggests that the Quick Mode responder choose to pick a SPI
>according to a known alogrithm so that the NAT device can use that extra
>information to translate the ESP traffic. The transmitter will still view
>the SPI as opaque. The Quick Mode responder chooses to pick its SPI by
>using a hash function on the Quick Mode initiator SPI to derive half of
>its SPI. This hash function is known to the NAT device, and the NAT device
>uses that information to Pair the incoming and outgoing SPIs.
>
>We do not require all IPsec implementations to do it. We only require
>implementations that want to implement our proposal to do so all the time.
>All IPsec implementations can do it too. We will not restrict any IPsec
>implementation from doing it. The proposal only advices the various IPsec
>peers to pick their SPIs in a particular way so that the intermediate NAT
>devices can pair the SPIs. This extra information is in no way used by the
>IPsec peers themselves. This extra information is only used by the NAT
>device.
>
>      chinna

Agreed that the NAT devices you are discussing at not IPsec devices. 
An to the extent that the NAT device is in the same administrative 
domain as the IPsec receiver who selects the SPI values, then one 
could argue that it is still a local decision and thus not in 
conflict with the model of 2401.  However, if the NAT device is in a 
different admin domain, I am less comfortable that SPI selection 
remains a local matter.

Steve

References:
- RE: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: Re: Problem about reassembly and fragmentation
Next by Date: Re: Choosing between IKEv2 and JFK
Prev by thread: RE: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread