IETF Logo Mail Archive

Thanks for answering: About UDP Encapsulation of IPsec Packets

Jerry Yao <jerryyao@mail.jl.cn> Tue, 23 April 2002 14:57 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3NEvWa17771; Tue, 23 Apr 2002 07:57:32 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA13810 Tue, 23 Apr 2002 10:18:45 -0400 (EDT)
Date: Tue, 23 Apr 2002 22:33:28 +0800
From: Jerry Yao <jerryyao@mail.jl.cn>
Subject: Thanks for answering: About UDP Encapsulation of IPsec Packets
To: Ari Huttunen <Ari.Huttunen@f-secure.com>, "Parn, William" <parn@cryptek.com>
Cc: ipsec_forum <ipsec@lists.tislabs.com>
Message-id: <009f01c1ead4$03e748e0$04a7c6ca@server>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
Content-type: multipart/alternative; boundary="Boundary_(ID_XP9TyUwJV7HbyuPlgFeRug)"
X-Priority: 3
X-MSMail-priority: Normal
References: <002401c1e9ce$61e46f60$04a7c6ca@server> <3CC53899.E39D1F3A@F-Secure.com>
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Thank you very much. 
> 
> RFC-2401:
> > A security association is uniquely identified by a triple consisting
> >    of a Security Parameter Index (SPI), an IP Destination Address, and a
> >    security protocol (AH or ESP) identifier. 
> 

but I am still not very clear. As rfc-2401 said, <SPI, DST, PROT>  is unique, 
suppose two packets come out from behind the NAT, though they come 
from deferent host, the packets may have the same source IP address and 
dest IP address. Should they must have deferent SPI? Is that mean <SPI, PROT>
must be unique in the IPSec? 

How about we encapsulate the packet like this:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Source Port            |      Destination Port         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Length              |           Checksum            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                     Original IP address                       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                      ESP header [RFC 2406]                    |
~                                                               ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

the Source Port set the value 501, as is
described in "draft-ietf-ipsec-udp-encaps-justification-00.txt"
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-justification-00.txt
the Destination Port set value 501 or the port value of the peer
after translated by NAPT.

v2.40.3 | Report a Bug | By Email | System Status