[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Another field for traffic selector?

To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Subject: Another field for traffic selector?
From: Michael Thomas <mat@cisco.com>
Date: Wed, 12 Mar 2003 11:46:40 -0800 (PST)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200303112215.h2BMFp023450@sydney.East.Sun.COM>
References: <200303112215.h2BMFp023450@sydney.East.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com


Radia,

This strikes me as opening Pandora's box and then
some. There are many possible ways that you might
want to influence traffic on the egress side of
the tunnel including VLAN's as you mention, but
also MPLS and other fell creatures. Also: this
seemingly overlaps with other ways of signaling in
the QoS domain (RSVP) which is another way of
thinking about this problem.

My big question is this: why does it need to go
into IKEv2 instead of considering it separately?
At the very least, the requirements would need to
be fleshed out and that sounds like a very deep
rathole.

		Mike

Radia Perlman - Boston Center for Networking writes:
 > Sorry Charlie... (for what I'm about to bring up)
 > 
 > I was just talking to someone about some routing thing,
 > and realized that IPsec might need another traffic selector
 > field, for "virtual network number".
 > 
 > Suppose you have several customer intranets, C1, C2, C3, C4,
 > all using local IP addresses, so there's no way to distinguish
 > traffic based on IP addresses, ports, or protocol types.
 > 
 > And you have two firewalls F1 and F2 that are providing VPN
 > service to different offices of customers C1, C2, C3, C4.
 > 
 > These customers are not talking to each other. They are only
 > talking between their own nodes, but they are all utilizing
 > IPsec tunnels between F1 and F2.
 > 
 > What would solve the problem is for F1 and F2 to create 4 different
 > SAs, one for each of C1, C2, C3, and C4. But they have to negotiate
 > which is which. So if there were another traffic selector field for
 > "virtual network", 4 different child-SAs could be created, and
 > F2 then would know, when it received a packet, which customer net
 > it belonged to based on which SA it was received on.
 > 
 > I'm not sure what to call it, or what size it ought to be.
 > Other protocols need to solve this problem. The "VLAN tag"
 > is used in 802. "Partition ID" is used in infiniband. I've
 > heard the name "virtual router ID" for something, but I think
 > that's a terrible name (since it's a virtual net, not a virtual
 > router). If anyone can suggest an already-recognized name
 > for this concept, an already-recognized size of the field,
 > and an already-recognized numbering scheme, we should adopt it.
 > Otherwise, I'd suggest the name "virtual net", size 2 bytes,
 > and a numbering scheme that is local to F1 and F2 (someone
 > would configure it compatibly at the two ends and map it
 > to specific customer nets).
 > 
 > So, there are two issues:
 > a) I think we need to add this field to the traffic selector in IKE
 > b) If at this late date extra things (this plus the uniquifier)
 > are coming up as needing to be in the traffic selector, perhaps
 > the encoding of traffic selector should be more flexible, so
 > that new fields can be added in the future.
 > 
 > Radia
 > 
 >

References:
- Another field for traffic selector?
  - From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>

Prev by Date: Re: bidding down attach on NAT-T
Next by Date: Re: Another field for traffic selector?
Prev by thread: Re: Another field for traffic selector?
Next by thread: Re: Another field for traffic selector?
Index(es):
- Date
- Thread