[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue 68 ("VPNs with overlapping IP address ranges")
Good enough.
In message <5.2.0.9.0.20031014235708.0218d580@localhost>, Mark Duffy writes:
>Here in response to the solicitation is a proposed text re multiple context
>support in 2401bis:
>
> IPsec devices supporting services such as: security gateway for
>multiple subscribers, IPsec-protected tunnel links for overlay networks,
>etc. MAY implement multiple separate IPsec contexts. These contexts MAY
>have and use completely independent identities, policies, key management
>SAs, and/or IPsec SAs. This is for the most part a local implementation
>matter. However, a means for associating inbound proposals with local
>contexts is required. To this end, if supported by the key management
>protocol in use, context identifiers MAY be conveyed from initiator to
>responder in the signalling messages, with the result that IPsec SAs are
>created with a binding to a particular context.
>
>--Mark
>
>At 12:55 PM 10/14/2003 -0400, Angelos D. Keromytis wrote:
>
>>We discussed this issue in our weekly telecon...it appears that there are two
>>separate, but connected issues here:
>>
>>a) Some kind of IKE notification to inform the SG which subscriber the
>>initiator
>> wants to talk to; this is something that should be resolved in IKEv2, mos
>t
>> likely as an additional document.
>>
>>b) Support in the IPsec stack (meaning 2401bis text) for the notion of
>>different
>> subscribers. This part is applicable to 2401bis and thus to this
>> issue. How
>> it is implemented should be left to the individual implementations. There
>> may be some merrit in including a paragraph in 2401bis mentioning the
>> issue;
>> so:
>>
>> We solicit 1 paragraph describing the issue and the possibilities for
>> implementing it, to be included in 2401bis. If such a paragraph does not
>> materialize in a week (by our next telecon), we will simply drop the
>> issue.
>>
>>Cheers,
>>-Angelos