[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Thanks for answering: About UDP Encapsulation of IPsec Packets
> but I am still not very clear. As rfc-2401 said, <SPI, DST, PROT> is unique,
> suppose two packets come out from behind the NAT, though they come
> from deferent host, the packets may have the same source IP address and
> dest IP address. Should they must have deferent SPI?
>
Yes. The SPI value is assigned by the *receiver* as part of key
management.
You're talking about this case:
+---+
A---| |
| N |-----C
B---| |
+---+
and asking about inbound SA's to "C":
"N" is a NAT, which has address "N" from the point of view of C
C assigns the SPI's for all its inbound unicast SA's.
A negotiates an SA with C, C assigns SPI X to it.
B negotiates an SA with C, C assigns SPI Y to it, Y != X
> Is that mean <SPI, PROT> must be unique in the IPSec?
No, C could have a second address "D" and reuse X and Y for that address.
- Bill