[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue #68: VPNs with overlapping IP address ranges (was Re: 2 401bis issues (possible) resolution)



At 12:13 PM 10/8/2003 -0400, Paul Knight wrote:
...
>It appears to me that a solution allowing a single encapsulation of the 
>corporate traffic (either IPsec tunnel mode or 
>IP-tunnel-in-IPsec-transport-mode), and without tagging every packet, 
>requires the VPN-ID (or "Context identifier").
>
>I do hope there is a way to support this requirement without adding the 
>extra "Context ID" payload, but I have not seen it yet. I would be happy 
>to hear of a solution.
>
>Another possible way to support this could be another ID Type within the 
>Identification Payload. In this case, multiple new ID Types may be needed 
>since there are multiple VPN-ID formats (see my message of yesterday).  I 
>am somewhat concerned about overloading the Identification Payload in this 
>way, since the Context IDs are actually a kind of temporary "sub-identity" 
>of the gateways.  This brings to mind the "me Tarzan - you Jane" concepts 
>discussed earlier.

I think inferring the context from the initiator ID is not the right 
model.  Conveying the context in the responder ID as asserted by the 
initiator (the "you Jane") does about the right thing in terms of 
signalling the context, but at the cost that the systems may have to have 
many identities, and credentials for them.  It is much better IMO to 
decouple the VPN context from the IKE identity.

(Maybe that's what you were saying anyway Paul.)

--Mark