[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Phase 2 ID's for different VPN's with different Address Space



This may overlap with what Ari wrote, but could you put security labels on
IP datagrams to identify which VPN they belong to?  This would be an
additional selector you could use in the SPD to differentiate between
datagrams from different VPNs.

You could label the datagrams when you receive them from a VPN and remove
the label when you transmit them back again.

I must confess I'm not at all familiar with these labels so I'm not sure if
this is a valid thing to do, but if it is then it would allow you to create
multiple IP address spaces.

Chris

> -----Original Message-----
> From: Daniel Fox [mailto:dfox@ennovatenetworks.com]
> Sent: 02 November 1999 14:24
> To: Sankar Ramamoorthi
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Phase 2 ID's for different VPN's with different Address
> Space
> 
> 
> Sankar,
> 
>     Thanks for the reply.  Comments below.
> 
> Sankar Ramamoorthi wrote:
> 
> > Would'nt VPNs with operlapping address space cause a problem
> > only when the address spaces intersect on both ends?
> > If they are just intersecting on one side then the address selectors
> > should be able uniquely determine which vpn the phase2 exchange
> > belongs to - right?
> 
> Yeah, but that's not the problem I'm trying to solve.
> 
> >
> >
> > Also in the diagram shown below, would'nt using identifiers of
> > type IP_ADDRESS_RANGE solve the problem.
> >
> 
> I don't think so.  I think they would still overlap, but I 
> must admit I'm not
> sure what you are getting at.  Would this solve the general 
> case?  If so, could
> you elaborate further?  Thanks.
> 
> 
>