[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: "Chinna N.R. Pellacuru" <pcn@xxxxxxxxx>
Subject: RE: NAT Traversal
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 4 Mar 2002 18:22:50 -0500
Cc: Srinivasa Addepalli <srao@xxxxxxxxxxxxx>, Jayant Shukla <jshukla@xxxxxxxxxxx>, "'Henrik Levkowetz'" <henrik@xxxxxxxxxxxxxxx>, "'ipsec mailling list'" <ipsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Chinna,

Reasonable questions. Let me try to provide some history and explain the motivations for the clarifications:

<SNIP>

> Just a few notes re this discussion:


	- the revised ESP/AH documents emphasize that an IPsec
 implementation need not use the protocol type for SPI
 differentiation. so, if one starts assuming this is true, it will be
 yet another conflict with the IPsec specs


Curious what are the reasons for removing this restriction, and what are
the cons of still reqiring that this restriction apply.

There was never a real need to use the protocol type and, in fact, one IPsec device generally cannot tell if its peer is or is not using the protocol type for SPI demuxing. We got feedback over the last 2 years from vendors asking us to revise the description to better reflect what they tended to do, and which in no way detracted from interoperability.

As for the destination address, this was a result of poor wording, i.e., we never needed this for demuxing, except for multicast, but we did a very poor job of saying that. Again, we have gotten feedback from vendors who didn't understand why this "requirement" was imposed, and so we explained under what circumstances one really needs to use the dest addr for SPI demuxing.


	- similarly, an IPsec implementation does not need to use the
 dest IP address as part of the SPI lookup, unless that address is for
 a multicast group.


Here also, curious why that it is not required anymore to have dest IP
address as part of SPI lookup.

It never was needed, as noted above, except for multicast. It is needed for multicast only because in that case the receiver does NOT select the SPI, i.e., the multicast controller does. If you propose to impose restrictions on SPI generation, you should take into account the multicast case as well. The MSEC WG is getting close to promulgating standards that will support the simple case, single sender, multiple receivers, so we should be careful to not do anything that will interfere with that work.

	- do I understand correctly that you are suggesting a change
 to the specs to reduce the effective SPI space by a factor of 65K?
 is everyone comfortable with this?

Steve


I am suggesting that the original concept of IPsec SA being identified by
a tuple: destination IP, protocol, SPI be required, and within the SPI add
new semantics for picking a SPI on the phase2 responder.

The new ESP ID, published before the December IETF, clarified the SPI demuxing description. We have received feedback on the ID, and nobody has voiced any objections to this revised SPI demuxing description. There appear to be no "cons" to the new wording. The "pros" are that IPsec implementations need not spend cycles matching additional fields in inbound IPsec headers that are not needed to demux SAs, which potentially improves performance. As people develop high speed IPsec implementations (note the extended sequence number option is motivated by the need to support multi-gigabit IPsec speeds), using fewer inputs to SA selection for inbound traffic reduces costs (e.g., narrower CAMs).

Steve

Follow-Ups:
- RE: NAT Traversal
  - From: Paul Koning
- RE: NAT Traversal
  - From: Chinna N.R. Pellacuru

References:
- RE: NAT Traversal
  - From: Chinna N.R. Pellacuru

Prev by Date: RE: NAT Traversal
Next by Date: RE: NAT Traversal
Previous by thread: RE: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread