Re: Another field for traffic selector?

[Derek Atkins <derek@ihtfp.com>]

Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com> writes:

> If there is some way to tell what "wire" things
> are coming on, as for instance if they are
> different MPLS tunnels, then there's no problem.
> But if they are forwarding simply with IP, then
> without this way of negotiating on SA creation,
> I don't see how the firewalls can do this.

Why not just use different identities?

The ingres firewall already needs some out-of-band mechanism to know
that a packet from 10.0.0.1 is from VPN-1 rather than VPN-2.  It can
know this because it's arriving on a different port or a different
MPLS tunnel.  Regardless, it doesn't matter, it knows the source.
This means that any firewall endpoint must necessarily have some
meta-IP method to determine VPNs.

If one piece of hardware is acting as an IPsec terminal point, why
can't it use a different IKE identity per VPN?  If I want to set up a
tunnel for VPN-1, I negotiate an SA for VPN-1 using an IKE ID for
VPN-1.

A box could internally apply the meta-IP information for SA selection.
How this is done does not need to be standardized, IMHO.

-derek

> Radia
> 
> "Scott G. Kelly" <scott@airespace.com> wrote:
> >I guess I don't see why you can't have multiple tunnels between the
> >devices, since the tunnel selectors (the nat'd network addresses) are
> >unique. Alternatively, you can use an encapsulation of some sort (GRE,
> >UDP, L2TP, etc), which permits unique per-customer selectors. This can
> >be done cleanly without modifying the ipsec protocols, can't it?
> >
> 

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com