[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)

To: Eric Vyncke <evyncke@cisco.com>
Subject: Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
From: Tero Kivinen <kivinen@ssh.fi>
Date: Tue, 14 Oct 2003 19:32:17 +0300
Cc: jef@linuxbe.org, Mark Duffy <mduffy@quarrytech.com>, "Angelos D. Keromytis" <angelos@cs.columbia.edu>, ipsec@lists.tislabs.com
In-Reply-To: <5.1.0.14.2.20031014172031.02fe53b8@localhost>
Organization: SSH Communications Security Oy
References: <1066135916.1044.74.camel@gardafou><5.2.0.9.0.20031007155701.02041dc8@email><200310071738.h97HclHW002907@coredump.cs.columbia.edu><5.1.0.14.2.20031010115536.02e287b8@localhost><5.1.0.14.2.20031014172031.02fe53b8@localhost>
Sender: owner-ipsec@lists.tislabs.com

Eric Vyncke writes:
> It is not only about negotiation of phase 1 protection, it can also be:
> - for a shared SG: a hard limit on the number of IKE SA per customer

This should be done only after the authentication, as only after then
you really know who the other end is. 

> - selection of the right CA to send CERT_REQ (again in the case of a 
>   shared SG with dozens or more customers each with its own CA)

Send multiple certificate requests, i.e for each CA there are, or
simply leave out the certificate requests, and assume that you either
have the certificate, or that the client is configured to send you the
certificate anyways. 

> This was indeed the main reason why IKEv1 is like it is. But, other
> people re-used this 'feature' to do other services with it (like
> the ones described above).
> 
> And, it would be really useful to keep the same services with
> IKEv2.

I think the best way to solve that kind of 'features' is to use
something like proprietary notification or something similar if you
cannot do it by the normal rules. I most of those cases there are ways
to get over with the problems by just doing little extra work.

I.e when you initially respond to the IKE SA you guess some policy and
use it. When you see the identity you verify your guess. If the guess
was incorrect you abort the negotiation, and request other end to
restart it, and mark it in your internal table that this IP address
should use this guess next time for next n minutes. Then when the
initiator restarts you select this different policy guess, and use
that instead. So all of these are doable, they might just need some
extra work. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:
- Re: Issue #68: VPNs with overlapping IP address ranges (was Re:2401bis issues (possible) resolution)
  - From: Jean-Francois Dive <jef@linuxbe.org>
- Re: 2401bis issues (possible) resolution
  - From: Mark Duffy <mduffy@quarrytech.com>
- 2401bis issues (possible) resolution
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
- Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
  - From: Eric Vyncke <evyncke@cisco.com>
- Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
  - From: Eric Vyncke <evyncke@cisco.com>

Prev by Date: 2401bis issues
Next by Date: Issue 68 ("VPNs with overlapping IP address ranges")
Prev by thread: Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)
Next by thread: Re: 2401bis issues (possible) resolution
Index(es):
- Date
- Thread