Re: Issue 68 ("VPNs with overlapping IP address ranges")

[Mark Duffy <mduffy@quarrytech.com>]

Here in response to the solicitation is a proposed text re multiple context 
support in 2401bis:

      IPsec devices supporting services such as: security gateway for 
multiple subscribers, IPsec-protected tunnel links for overlay networks, 
etc. MAY implement multiple separate IPsec contexts.  These contexts MAY 
have and use completely independent identities, policies, key management 
SAs, and/or IPsec SAs.  This is for the most part a local implementation 
matter.  However, a means for associating inbound proposals with local 
contexts is required.  To this end, if supported by the key management 
protocol in use, context identifiers MAY be conveyed from initiator to 
responder in the signalling messages, with the result that IPsec SAs are 
created with a binding to a particular context.

--Mark

At 12:55 PM 10/14/2003 -0400, Angelos D. Keromytis wrote:

>We discussed this issue in our weekly telecon...it appears that there are two
>separate, but connected issues here:
>
>a) Some kind of IKE notification to inform the SG which subscriber the
>initiator
>    wants to talk to; this is something that should be resolved in IKEv2, most
>    likely as an additional document.
>
>b) Support in the IPsec stack (meaning 2401bis text) for the notion of
>different
>    subscribers. This part is applicable to 2401bis and thus to this 
> issue. How
>    it is implemented should be left to the individual implementations. There
>    may be some merrit in including a paragraph in 2401bis mentioning the 
> issue;
>    so:
>
>     We solicit 1 paragraph describing the issue and the possibilities for
>     implementing it, to be included in 2401bis. If such a paragraph does not
>     materialize in a week (by our next telecon), we will simply drop the 
> issue.
>
>Cheers,
>-Angelos