[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: Saroop Mathur <saroop1@xxxxxxxxx>
Subject: RE: NAT Traversal
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 5 Mar 2002 12:16:53 -0500
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 7:15 PM -0800 3/4/02, Saroop Mathur wrote:

On Mon, 4 Mar 2002, Stephen Kent wrote:

 > At 3:52 PM -0800 3/4/02, Chinna N.R. Pellacuru wrote:
 > >Hi Steve,
 > >
 > >Is it possible that along with the sequence number, we also increase
the
 > >SPI space so that we can use some of the SPI space for NAT
translation.
 > >We could keep the original restrictions on how to pick an SA, or we
need
 > >to come up with elaborate schemes to effectively increase the SPI
space,
 > >like you are attempting to increase the sequence number.
 >
 > I see a problem here. We increased the sequence number size, but
 > didn't transmit the extra (high order) 32 bits!  So, I can't see
 > folks being fond of an increase in SPI size.  It is no accident that
 > the current ESP header is a multiple of both 4 and 8 bytes, using the
 > default integrity algorithm length, specifically to ensure IPv4 and
 > v6 alignment for the payload. Adding 2 bytes for a bigger SPI would
 > break that alignment.

If changing the ESP header bits is an option, then it may make more
sense to include both source and dest SPIs in the header instead of
increasing the SPI size to either 6 or 8 bytes. IP, TCP and UDP include
both src/dest fields. This way the semantics of the entire SPI bits
remain with the entity generating the SPIs while allowing the NAT
devices to allow proper mapping.

Please reread my comments. We explicitly did NOT change the header to accommodate the extra sequence number bits. Also, the reasons that IP, TCP and UDP include both source and destination addresses and/or port fields has to do with the model for demuxing that they adopted (>25 years ago). We articulated an approach to demuxing for ESP/AH that is different, and more space efficient. We have different modes here.

In order to maintain 8-byte alignment, the Sequence number can also be
increased to 64 bits. Alternatively SPIs can be increased to 48-bits
and the sequence number bits remain the same.

-Saroop

If one wanted to increase the size of the header and maintain 8-byte alignment, there are many ways to do that. But I don't think the IPsec community has expressed a general desire to double the header size for all traffic, as a means of reducing the overhead for NAT traversal.

Steve

References:
- RE: NAT Traversal
  - From: Saroop Mathur

Prev by Date: Re: NAT Traversal
Next by Date: RE: NAT Traversal
Previous by thread: Re: NAT Traversal
Next by thread: info on new nat-t
Index(es):
- Date
- Thread