IETF Logo Mail Archive

Re: Thanks for answering: About UDP Encapsulation of IPsec Packets

Bill Sommerfeld <sommerfeld@east.sun.com> Tue, 23 April 2002 15:37 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3NFbfa19244; Tue, 23 Apr 2002 08:37:41 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA13913 Tue, 23 Apr 2002 10:43:14 -0400 (EDT)
Message-Id: <200204231452.g3NEqrKw028010@thunk.east.sun.com>
From: Bill Sommerfeld <sommerfeld@east.sun.com>
To: Jerry Yao <jerryyao@mail.jl.cn>
cc: Ari Huttunen <Ari.Huttunen@f-secure.com>, "Parn, William" <parn@cryptek.com>, ipsec_forum <ipsec@lists.tislabs.com>
Subject: Re: Thanks for answering: About UDP Encapsulation of IPsec Packets
In-Reply-To: Your message of "Tue, 23 Apr 2002 22:33:28 +0800." <009f01c1ead4$03e748e0$04a7c6ca@server>
Reply-to: sommerfeld@east.sun.com
Date: Tue, 23 Apr 2002 10:52:53 -0400
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

> but I am still not very clear. As rfc-2401 said, <SPI, DST, PROT>  is unique, 
> suppose two packets come out from behind the NAT, though they come 
> from deferent host, the packets may have the same source IP address and 
> dest IP address. Should they must have deferent SPI? 
>

Yes.  The SPI value is assigned by the *receiver* as part of key
management.

You're talking about this case:

            +---+
	A---|   |
            | N |-----C
	B---|   |
            +---+

and asking about inbound SA's to "C":

"N" is a NAT, which has address "N" from the point of view of C

C assigns the SPI's for all its inbound unicast SA's.

A negotiates an SA with C, C assigns SPI X to it.

B negotiates an SA with C, C assigns SPI Y to it, Y != X

> Is that mean <SPI, PROT> must be unique in the IPSec? 

No, C could have a second address "D" and reuse X and Y for that address.

					- Bill

v2.40.4 | Report a Bug | By Email | System Status