Re: Issue 68 ("VPNs with overlapping IP address ranges")

["Angelos D. Keromytis" <angelos@cs.columbia.edu>]

In message <p0600200dbbb1df3cd045@[128.89.89.75]>, Stephen Kent writes:
>
>Still, I am a bit concerned by this characterization. Having looked 
>at the traffic on this issue, I did not see a clear description of 
>how two implementations would signal the necessary info in a standard 
>fashion.  So I think that topic 1, the IKEv2 extension, will be 
>critical.

It may be critical, but it certainly isn't part of 2401bis. There is also some
apparent confusion as to what exactly is needed (some people talking about
Phase1 IDs for authentication, others about Subscriber IDs, and so on).

>As for item 2 above, we think it is appropriate to discuss this issue 
>and I thought we had proposed text to that effect.  That text noted 
>that it was a local matter as to how one took traffic from multiple 
>subscribers and mapped it to the right SPD, but one has to discuss 
>this as part of the overall processing model, to ensure that the 
>model is clear and as comp;lete as possible.

There wasn't proposed text as such, just indications as to what might be
included (items 1 and 2 in the issue description). As to the proposed approach,
(a) is certainly acceptable, but (b) and (c) seem outside the scope of 2401bis
(suggesting use of NAT!)
-Angelos