Re: Issue 68 ("VPNs with overlapping IP address ranges")

[Stephen Kent <kent@bbn.com>]

At 12:55 -0400 10/14/03, Angelos D. Keromytis wrote:
>We discussed this issue in our weekly telecon...it appears that there are two
>separate, but connected issues here:
>
>a) Some kind of IKE notification to inform the SG which subscriber the
>initiator
>    wants to talk to; this is something that should be resolved in IKEv2, most
>    likely as an additional document.
>
>b) Support in the IPsec stack (meaning 2401bis text) for the notion of
>different
>    subscribers. This part is applicable to 2401bis and thus to this issue. How
>    it is implemented should be left to the individual implementations. There
>    may be some merrit in including a paragraph in 2401bis mentioning 
>the issue;
>    so:
>
>     We solicit 1 paragraph describing the issue and the possibilities for
>     implementing it, to be included in 2401bis. If such a paragraph does not
>     materialize in a week (by our next telecon), we will simply drop 
>the issue.
>
>Cheers,
>-Angelos

I just returned from a 2 week trip and am catching up on mail, lots of mail ...

Still, I am a bit concerned by this characterization. Having looked 
at the traffic on this issue, I did not see a clear description of 
how two implementations would signal the necessary info in a standard 
fashion.  So I think that topic 1, the IKEv2 extension, will be 
critical.

As for item 2 above, we think it is appropriate to discuss this issue 
and I thought we had proposed text to that effect.  That text noted 
that it was a local matter as to how one took traffic from multiple 
subscribers and mapped it to the right SPD, but one has to discuss 
this as part of the overall processing model, to ensure that the 
model is clear and as comp;lete as possible.

Steve