[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another field for traffic selector?

To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Subject: Re: Another field for traffic selector?
From: "Scott G. Kelly" <scott@airespace.com>
Date: Wed, 12 Mar 2003 09:15:37 -0800
CC: ipsec@lists.tislabs.com
Organization: airespace
References: <200303112215.h2BMFp023450@sydney.East.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

Hi Radia,

I'm a little confused about this (sorry, not a ppvpn person). I have
some questions interspersed below.

Radia Perlman - Boston Center for Networking wrote:
> 
> Sorry Charlie... (for what I'm about to bring up)
> 
> I was just talking to someone about some routing thing,
> and realized that IPsec might need another traffic selector
> field, for "virtual network number".
> 
> Suppose you have several customer intranets, C1, C2, C3, C4,
> all using local IP addresses, so there's no way to distinguish
> traffic based on IP addresses, ports, or protocol types.

I don't have a clear picture of this in mind. Are you saying that the
customers are using overlapping private address spaces, e.g.

C1: 10.1.1.0-10.1.2.255

C2: 10.1.1.0-10.1.1.255

C3: 10.1.2.0-10.1.2.255

C4: 10.1.1.0-10.2.1.255

or do you mean something else?


> And you have two firewalls F1 and F2 that are providing VPN
> service to different offices of customers C1, C2, C3, C4.

This leads me to think of implementations which sit just inside the
cloud between the customer networks - is this what you mean?


Thanks for your indulgence,

Scott

----end of questions---------

> These customers are not talking to each other. They are only
> talking between their own nodes, but they are all utilizing
> IPsec tunnels between F1 and F2.
> 
> What would solve the problem is for F1 and F2 to create 4 different
> SAs, one for each of C1, C2, C3, and C4. But they have to negotiate
> which is which. So if there were another traffic selector field for
> "virtual network", 4 different child-SAs could be created, and
> F2 then would know, when it received a packet, which customer net
> it belonged to based on which SA it was received on.
> 
> I'm not sure what to call it, or what size it ought to be.
> Other protocols need to solve this problem. The "VLAN tag"
> is used in 802. "Partition ID" is used in infiniband. I've
> heard the name "virtual router ID" for something, but I think
> that's a terrible name (since it's a virtual net, not a virtual
> router). If anyone can suggest an already-recognized name
> for this concept, an already-recognized size of the field,
> and an already-recognized numbering scheme, we should adopt it.
> Otherwise, I'd suggest the name "virtual net", size 2 bytes,
> and a numbering scheme that is local to F1 and F2 (someone
> would configure it compatibly at the two ends and map it
> to specific customer nets).
> 
> So, there are two issues:
> a) I think we need to add this field to the traffic selector in IKE
> b) If at this late date extra things (this plus the uniquifier)
> are coming up as needing to be in the traffic selector, perhaps
> the encoding of traffic selector should be more flexible, so
> that new fields can be added in the future.
> 
> Radia

References:
- Another field for traffic selector?
  - From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>

Prev by Date: Re: suites vs. a la carte and IPcomp in IKEv2-05
Next by Date: RE: Another field for traffic selector?
Prev by thread: Re: Another field for traffic selector?
Next by thread: Another field for traffic selector?
Index(es):
- Date
- Thread