[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)



At 01:15 PM 10/10/2003 +0300, Tero Kivinen wrote:
Now I am confused. Earlier I thought that VPN-ID was meant to be like
a traffic selector, i.e that you could create one IKE SA and then for
each IPsec SA you select which VPN-ID is used. You seem to be
proposing that VPN-ID is more like the IKE authentication ID, i.e the
identity of the other end.

For that kind of use you need to have separate IKE SA for each VPN,
and then the proper way to do that is use separate credentials and
authentication ID per VPN.

Some folks participating in this discussion are talking about binding VPN-IDs to child SAs and others are talking about binding VPN-IDs to IKE SAs. This is because people have different applications in mind and so they have different requirements.



Anyways, I think this is something that is not for general IPsec use,
but more specific case, thus I do not think we should include the
current issue #68 in the RFC2401bis now. I think we can write new
document to describe how to do that kind of things.

Can we agree on that now?

At this point I think that proponents of the VPN-ID signalling in IKE need to go off and write an I-D or I-Ds about extending IKEv2 to convey VPN-IDs. I would hope to see 2401bis written in such a way that it will accommodate use of such signalling. But, I don't know exactly what that means in terms of text in 2401bis.


--Mark