[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re:2401bis Issue #68 -- VPNs with overlapping IP address ranges
At 12:08 +0530 9/17/03, Ravi Kumar wrote:
> Hi,
> Implementations (including ours) allocate one or more public IP
>addresses for each subscriber.
> It is expected that IKE negotiations and IPSEC traffic come with
>this(these) IP address(es) as
> 'Destination IP'. Based on this, subscriber ID is extracted
>locally and after decryption, the packets
> are forwarded onto the subscriber network.
> It is not mandatory to negotiate Subscriber ID via IKE.
> Due to this, I feel, we should not make negotiation of subscribe
>ID mandatory.
> But, if same public IP address is used across multiple
>subscribers, then subscriber ID via IKE
> is needed. The proposed text should take care of above.
>Thanks
> Ravi
Ravi,
Use of multiple public addresses, one per subscriber net per Ipsec
implementation, does provide another means of identifying the
subscriber net, but this requires an ability to acquire the multiple,
public addresses at each end. In that sense, this is a less general
approach than using a subscriber net ID internal to IPsec (IKE). In
general I think we are better off with a mechanism that works in all
cases, vs. one that works only if it is possible to acquire enough
public addresses from an ISP to assign one to each subscriber net
address behind the device.
Steve