[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Thanks for answering: About UDP Encapsulation of IPsec Packets
Thank you very much.
>
> RFC-2401:
> > A security
association is uniquely identified by a triple consisting
>
> of a Security Parameter Index (SPI), an IP Destination
Address, and a
> > security protocol (AH or ESP)
identifier.
>
but I am still not very clear. As rfc-2401 said,
<SPI, DST, PROT> is unique,
suppose two packets come out from behind the
NAT, though they come
from deferent host, the packets may have the
same source IP address and
dest IP address. Should they must have deferent
SPI? Is that mean <SPI, PROT>
must be unique in the IPSec?
How about we encapsulate the packet like
this:
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Source Port
| Destination
Port
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Length
|
Checksum
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Original IP
address
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
ESP header [RFC
2406]
|
~
~
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
the Source Port set the value 501, as
is
described in
"draft-ietf-ipsec-udp-encaps-justification-00.txt"
the Destination Port set value 501 or the port
value of the peer
after translated by NAPT.