[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)

To: Tero Kivinen <kivinen@ssh.fi>, Eric Vyncke <evyncke@cisco.com>
Subject: Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
From: Mark Duffy <mduffy@quarrytech.com>
Date: Fri, 10 Oct 2003 10:23:06 -0400
Cc: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, ipsec@lists.tislabs.com
In-Reply-To: <16262.34491.235336.457244@ryijy.hel.fi.ssh.com>
References: <5.1.0.14.2.20031010115536.02e287b8@localhost><5.2.0.9.0.20031007155701.02041dc8@email><200310071738.h97HclHW002907@coredump.cs.columbia.edu><5.1.0.14.2.20031010115536.02e287b8@localhost>
Sender: owner-ipsec@lists.tislabs.com

At 01:15 PM 10/10/2003 +0300, Tero Kivinen wrote:
>Now I am confused. Earlier I thought that VPN-ID was meant to be like
>a traffic selector, i.e that you could create one IKE SA and then for
>each IPsec SA you select which VPN-ID is used. You seem to be
>proposing that VPN-ID is more like the IKE authentication ID, i.e the
>identity of the other end.
>
>For that kind of use you need to have separate IKE SA for each VPN,
>and then the proper way to do that is use separate credentials and
>authentication ID per VPN.

Some folks participating in this discussion are talking about binding 
VPN-IDs to child SAs and others are talking about binding VPN-IDs to IKE 
SAs.  This is because people have different applications in mind and so 
they have different requirements.

>Anyways, I think this is something that is not for general IPsec use,
>but more specific case, thus I do not think we should include the
>current issue #68 in the RFC2401bis now. I think we can write new
>document to describe how to do that kind of things.
>
>Can we agree on that now?

At this point I think that proponents of the VPN-ID signalling in IKE need 
to go off and write an I-D or I-Ds about extending IKEv2 to convey 
VPN-IDs.  I would hope to see 2401bis written in such a way that it will 
accommodate use of such signalling.  But, I don't know exactly what that 
means in terms of text in 2401bis.

--Mark

References:
- Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
  - From: Eric Vyncke <evyncke@cisco.com>
- Re: 2401bis issues (possible) resolution
  - From: Mark Duffy <mduffy@quarrytech.com>
- 2401bis issues (possible) resolution
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
- Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: I-D ACTION:draft-nikander-esp-beet-mode-00.txt
Next by Date: I-D ACTION:draft-ietf-ipsec-ikev2-11.txt
Prev by thread: Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
Next by thread: Re: Issue #68: VPNs with overlapping IP address ranges (was Re:2401bis issues (possible) resolution)
Index(es):
- Date
- Thread