[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
At 01:15 PM 10/10/2003 +0300, Tero Kivinen wrote:
>Now I am confused. Earlier I thought that VPN-ID was meant to be like
>a traffic selector, i.e that you could create one IKE SA and then for
>each IPsec SA you select which VPN-ID is used. You seem to be
>proposing that VPN-ID is more like the IKE authentication ID, i.e the
>identity of the other end.
>
>For that kind of use you need to have separate IKE SA for each VPN,
>and then the proper way to do that is use separate credentials and
>authentication ID per VPN.
Some folks participating in this discussion are talking about binding
VPN-IDs to child SAs and others are talking about binding VPN-IDs to IKE
SAs. This is because people have different applications in mind and so
they have different requirements.
>Anyways, I think this is something that is not for general IPsec use,
>but more specific case, thus I do not think we should include the
>current issue #68 in the RFC2401bis now. I think we can write new
>document to describe how to do that kind of things.
>
>Can we agree on that now?
At this point I think that proponents of the VPN-ID signalling in IKE need
to go off and write an I-D or I-Ds about extending IKEv2 to convey
VPN-IDs. I would hope to see 2401bis written in such a way that it will
accommodate use of such signalling. But, I don't know exactly what that
means in terms of text in 2401bis.
--Mark