[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue #68: VPNs with overlapping IP address ranges (was Re: 2 401bis issues (possible) resolution)

Hi Tero and all, (trying to send again) I think you are right that the VPN subscriber ID is = not required in the case you describe (individual host or client = connecting via a gateway), but the more difficult case is where there = are multiple "ISP SGW" devices, which are used to = interconnect multiple corporate sites in a VPN. In the = VPN-related working groups, the terminology would be "PE" - = provider edge devices. So in terms of your diagram, it would look = like: Corp A = --------.     .------ Corp A   = +-----+ = ; +-----+   | ISP |---{ Internet } ----| ISP |   | SGW = | = ; | SGW |   = +-----+ = ; +-----+ Corp B = --------'     '------ Corp B Corporations A & B may trust their links to the = ISP who runs the security gateways, but they want the ISP to provide = IPsec protection between the ISP's SGWs, where the traffic runs across = the Internet. In my message of yesterday (Re: 2401bis issues = (possible) resolution), I identified some issues, described some ways = to deal with this, and recommended using the VPN-ID as a way for the = ISP SGWs to negotiate an SA pair per VPN between the two SGWs, without = requiring extra IP addresses. There are ways to multiplex the VPN traffic over a = single SA pair, but these all seem to require either extra = encapsulation or the addition of some "tag" to every = packet. It appears to me that a solution allowing a single = encapsulation of the corporate traffic (either IPsec tunnel mode or = IP-tunnel-in-IPsec-transport-mode), and without tagging every packet, = requires the VPN-ID (or "Context identifier"). I do hope there is a way to support this requirement = without adding the extra "Context ID" payload, but I have not = seen it yet. I would be happy to hear of a solution. Another possible way to support this could be another = ID Type within the Identification Payload. In this case, multiple new = ID Types may be needed since there are multiple VPN-ID formats (see my = message of yesterday). I am somewhat concerned about overloading = the Identification Payload in this way, since the Context IDs are = actually a kind of temporary "sub-identity" of the gateways.  This brings to mind the "me Tarzan - you Jane" concepts = discussed earlier. Regards, Paul Knight P.S. I include my message of yesterday below = for ease of reference. > -----Original Message----- > From: Tero Kivinen [<3d.htm>mailto:kivinen@ssh.fi] > Sent: Wednesday, October 08, 2003 10:28 = AM > To: Mark Duffy > Cc: Angelos D. Keromytis; = ipsec@lists.tislabs.com > Subject: Issue #68: VPNs with overlapping IP = address ranges > (was Re: 2401bis issues (possible) = resolution) > > > [Please when you send comments to list, use the = issue number > in the subject, so it is easier for the others = to search for > other mails with same issue]. > > Mark Duffy writes: > > = > 68 VPNs with = overlapping IP address ranges > > #68 (as I think you have acknowledged) = consists of multiple parts, > > some of > > which are implementation issues but not = all. Part of #68 > involved a > > capability in the protocol: > > > = > b. = They MUST negotiate a VPN subscriber ID using IKE, as > = > noted = above, to enable forwarding of inbound IPsec > = > = traffic after crypto processing. > > I do not think there is any need to negotiate = the VPN > subscriber ID between the parties. The VPN = subscriber ID is > internal to the SGW, and it is not going to = trust anything > the other end sends. > > If I have understood correctly about the case = it is something like > this: > > > > Corp A = --------. = = +---- Client C > = = +-----+ = | > = | = ISP |-----{ Internet } ----| > = | = SGW | = | > = = +-----+ = +---- Client D > Corp B = --------' > > > Where the ISP SGW is acting as VPN GW for both = corporation A > and corporation B, and the clients connect to = it using IPsec > through the internet. Corporations A and B both = use > 10.0.0.0/8 network, and give out IP address to = the clients > from the same range. Now when the client C = connects to the > ISP SGW it authenticates itself as = c@corp-a.com. The ISP SGW > will now link that authenticated identity to = the VPN > Subscriber ID of Corp-A, and attach all packets = coming from > the client C to that VPN ID. When it is sending = them out it > will send to Corp A interface, because it is = also attached to > the Corp-A VPN ID. > > The ISP SGW will not be trusting client C to = send him the VPN > ID, as if it would trust clinet C, the = c@corp-a.com could > send VPN ID of corp-b instead and get access to = the Corp B network. > > So only way to get those VPN-IDs is through the = configuration > based on the authenticated ID of the client, = thus there is no > need to negotiate them in IKE. > > This means that client C and D are normal IPsec = clients, and > they do not have any special processing to be = done. If Client > C for some reason wants (and is allowed) to be = part of both > Corp A and B networks, then he can have two = authenticated IKE > identities c@corp-a.com and = c@corp-b.com. > > All the special processing of VPN IDs etc (or = whatever local > processing the ISP SGW does) is inside the ISP = SGW, thus it > is purely local implementation issue. > > > When a security Gateway is operating on = behalf of multiple contexts > > (e.g. > > multiple subscribers, or multiple = ppvpn-style overlay > addressing contexts), > > it is essential that the initiator be able = to convey to the > responder which > > context is being addressed. > > Do not use IP addresses as a IKE SA identities = then. Use the > dns names or email addresses or something else. = There is no > need to use ip addresses in those cases (or = actually using ip > addresses would be quite bad, as it is not = unique...). > > > In the absence of a capability to signal = this > > in IKE, the only full-functioned = alternative is for the SGs > to maintain a > > separate IP address to use for each = supported context. > This can waste a > > lot of addresses, and it isn't even as = good anyway because > it requires > > coordinated configuration on both ends to = understand which > IP address in > > each SG corresponds to which = context. > > There is no need for that. > > > My conclusion: 2401bis should = support the concept of multiple > > contexts > > supported in an IPsec device, and IKE = should provide a > means to convey the > > desired context in the initial = exchange. > > I do not think this is general case that should = be > implemented in the all IPsec stacks out there. = It will be > implemented as purely local matter in some of = the IPsec > implementations, and there is no need to have = any kind of > negotiation or changes to the IKE because of = that. > -- > kivinen@ssh.fi > SSH Communications = Security   <3d.htm>http://www.ssh.fi/ > SSH IPSEC = Toolkit = ; = ; <3d.htm>http://www.ssh.fi/ipsec/ ***************** yesterday's message below = ******* Hi Angelos, Mark, and all, I agree with Mark on this, we need a context = identifier for the VPN case, in order to provide the most = straightforward IPsec solution, while not forcing the use of multiple = IP addresses on the security gateways. Just to make sure we're clear, here is the basic = scenario: CE-A1--\     /--CE-A2 = PE1---(Internet)----PE2 CE-B1--/     \--CE-B2 CE = Customer Edge device CE-A1 = CE at customer A, VPN site 1 PE = Provider Edge device (also security gateway = in this case) Customers A,B each have two VPN sites. They each = use network 10.0.0.0 (for example). PE1 and PE2 would like to set up IPsec SA pairs = (IPsec connections) to carry the VPN traffic for both VPNs A and = B. They have at least two basic ways to do this: (1) Set up a single IPsec connection between PE1 and = PE2 for both VPNs. (2) Set up one IPsec connection *per VPN* between = PE1 and PE2. Two ways to do this: (2a) use one IP address per VPN on the = Internet-facing interface(s) of each PE, and negotiate an IPsec = connection for each IP address pair, and use an internal mechanism to = associate the IP addresses and IPsec connections to the = VPNs. (2b) use a single IP address on the = Internet-facing interface of each PE, use a context identifier (VPN-ID) = to negotiate multiple IPsec connections (one per VPN), and use an = internal mechanism to associate the IPsec connections to the = VPNs. Discussion: (1) does not require any change to IKEv2 or 2401bis, = but it is not able to carry IP directly (without additional = encapsulation or some kind of label) in the VPN scenario described = above. One approach based on (1) is proposed in = draft-ietf-l3vpn-ipsec-2547-01.txt. It relies on an MPLS label = attached to each packet within the SA, to allow the receiver to associat= e the traffic with the appropriate VPN. [IMPORTANT NOTE: This approach implies that paragraph = b. of issue 68 (quoted by Mark below) should use MAY instead of MUST or = SHOULD. This approach would be invalidated by the adoption of the = MUST language.] A variation of this approach could use a VPN-ID field = appended to each packet instead of an MPLS label. Another approach based on (1) is described in the = "backbone Virtual Router" discussion of = draft-ietf-l3vpn-vpn-vr-01.txt. It uses additional encapsulation = to allow multiple VPNs to be carried over a single IPsec connection = between PEs. It uses additional IP addresses per VPN, but they = can be private addresses of the provider. (2a) does not scale well, since it requires adding = additional routable IP addresses when additional VPNs are added to a = PE. (2b) is attractive from the viewpoint of not = requiring multiple IP addresses, although there are minor scaling = issues with separate IPsec connections per VPN. It requires a = method of signaling a context identifier or VPN-ID during IKE = negotiation. The simplest way I know to support this requirement = would be to add a Context-Identifier Payload to IKEv2. It should = support multiple types of context identifiers, since there are several = potential identifiers already known: 1 - VPN-ID - 7 bytes (RFC 2685) 2 = - Route Distinguisher - 8 bytes (RFC 2547) 3 - MPLS Label Regards, Paul Knight > -----Original Message----- > From: Mark Duffy [<3d.htm>mailto:mduffy@quarrytech.com]<= /FONT> > Sent: Tuesday, October 07, 2003 4:25 PM > To: Angelos D. Keromytis; = ipsec@lists.tislabs.com > Subject: Re: 2401bis issues (possible) = resolution > > > At 01:38 PM 10/7/2003 -0400, Angelos D. = Keromytis wrote: > >In our weekly teleconference, we discussed = the following > items from the > >issues list: > ... > = > 68 VPNs with = overlapping IP address ranges > ... > >We believe that these items are = implementation-specific and/or not > >applicable to implementations in general = (this applies in > particular to > >50 and partially to 68). We invite one last = round of > comments on these > >items --- if you feel strongly, = yell! > > > Hi Angelos and list, > > As invited, I am yelling :-) > > #68 (as I think you have acknowledged) consists = of multiple parts, > some of which are implementation issues but not = all. Part of #68 > involved a capability in the protocol: > > = ; b. They MUST negotiate a VPN subscriber ID using IKE, as > = ; noted above, to enable forwarding of inbound IPsec > = ; traffic after crypto processing. > > When a security Gateway is operating on behalf = of multiple contexts > (e.g. multiple subscribers, or multiple = ppvpn-style overlay > addressing contexts), > it is essential that the initiator be able to = convey to the > responder which > context is being addressed. In the = absence of a capability > to signal this > in IKE, the only full-functioned alternative is = for the SGs > to maintain a > separate IP address to use for each supported = context. This > can waste a > lot of addresses, and it isn't even as good = anyway because it > requires > coordinated configuration on both ends to = understand which IP > address in > each SG corresponds to which context. > > My conclusion: 2401bis should support the = concept of multiple > contexts supported in an IPsec device, and IKE = should provide a means > to convey the > desired context in the initial exchange. > > Thanks, Mark > > >