[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thanks for answering: About UDP Encapsulation of IPsec Packets



> but I am still not very clear. As rfc-2401 said, <SPI, DST, PROT>  is unique, 
> suppose two packets come out from behind the NAT, though they come 
> from deferent host, the packets may have the same source IP address and 
> dest IP address. Should they must have deferent SPI? 
>

Yes.  The SPI value is assigned by the *receiver* as part of key
management.

You're talking about this case:

            +---+
	A---|   |
            | N |-----C
	B---|   |
            +---+

and asking about inbound SA's to "C":

"N" is a NAT, which has address "N" from the point of view of C

C assigns the SPI's for all its inbound unicast SA's.

A negotiates an SA with C, C assigns SPI X to it.

B negotiates an SA with C, C assigns SPI Y to it, Y != X

> Is that mean <SPI, PROT> must be unique in the IPSec? 

No, C could have a second address "D" and reuse X and Y for that address.

					- Bill