[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Another field for traffic selector?

To: ipsec@lists.tislabs.com
Subject: Another field for traffic selector?
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Date: Tue, 11 Mar 2003 17:15:51 -0500 (EST)
Reply-To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com

Sorry Charlie... (for what I'm about to bring up)

I was just talking to someone about some routing thing,
and realized that IPsec might need another traffic selector
field, for "virtual network number".

Suppose you have several customer intranets, C1, C2, C3, C4,
all using local IP addresses, so there's no way to distinguish
traffic based on IP addresses, ports, or protocol types.

And you have two firewalls F1 and F2 that are providing VPN
service to different offices of customers C1, C2, C3, C4.

These customers are not talking to each other. They are only
talking between their own nodes, but they are all utilizing
IPsec tunnels between F1 and F2.

What would solve the problem is for F1 and F2 to create 4 different
SAs, one for each of C1, C2, C3, and C4. But they have to negotiate
which is which. So if there were another traffic selector field for
"virtual network", 4 different child-SAs could be created, and
F2 then would know, when it received a packet, which customer net
it belonged to based on which SA it was received on.

I'm not sure what to call it, or what size it ought to be.
Other protocols need to solve this problem. The "VLAN tag"
is used in 802. "Partition ID" is used in infiniband. I've
heard the name "virtual router ID" for something, but I think
that's a terrible name (since it's a virtual net, not a virtual
router). If anyone can suggest an already-recognized name
for this concept, an already-recognized size of the field,
and an already-recognized numbering scheme, we should adopt it.
Otherwise, I'd suggest the name "virtual net", size 2 bytes,
and a numbering scheme that is local to F1 and F2 (someone
would configure it compatibly at the two ends and map it
to specific customer nets).

So, there are two issues:
a) I think we need to add this field to the traffic selector in IKE
b) If at this late date extra things (this plus the uniquifier)
are coming up as needing to be in the traffic selector, perhaps
the encoding of traffic selector should be more flexible, so
that new fields can be added in the future.

Radia

Follow-Ups:
- Re: Another field for traffic selector?
  - From: "sankar ramamoorthi" <sankar@speakeasy.net>
- Re: Another field for traffic selector?
  - From: jeremy.de_clercq@alcatel.be
- Re: Another field for traffic selector?
  - From: "Scott G. Kelly" <scott@airespace.com>
- Another field for traffic selector?
  - From: Michael Thomas <mat@cisco.com>
- Re: Another field for traffic selector?
  - From: Lars Eggert <larse@ISI.EDU>

Prev by Date: Re: IKEv2 and multiple tunnels. (Was: QoS and IKEv2)
Next by Date: Re: IPsec bakeoff in July 2003 confirmed
Prev by thread: Re: IPsec bakeoff in July 2003 confirmed
Next by thread: Re: Another field for traffic selector?
Index(es):
- Date
- Thread