Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)

[Mark Duffy <mduffy@xxxxxxxxxxxxxx>]

At 01:15 PM 10/10/2003 +0300, Tero Kivinen wrote:
> Now I am confused. Earlier I thought that VPN-ID was meant to be like
> a traffic selector, i.e that you could create one IKE SA and then for
> each IPsec SA you select which VPN-ID is used. You seem to be
> proposing that VPN-ID is more like the IKE authentication ID, i.e the
> identity of the other end.
>
> For that kind of use you need to have separate IKE SA for each VPN,
> and then the proper way to do that is use separate credentials and
> authentication ID per VPN.

Some folks participating in this discussion are talking about binding 
VPN-IDs to child SAs and others are talking about binding VPN-IDs to IKE 
SAs.  This is because people have different applications in mind and so 
they have different requirements.


> Anyways, I think this is something that is not for general IPsec use,
> but more specific case, thus I do not think we should include the
> current issue #68 in the RFC2401bis now. I think we can write new
> document to describe how to do that kind of things.
>
> Can we agree on that now?

At this point I think that proponents of the VPN-ID signalling in IKE need 
to go off and write an I-D or I-Ds about extending IKEv2 to convey 
VPN-IDs.  I would hope to see 2401bis written in such a way that it will 
accommodate use of such signalling.  But, I don't know exactly what that 
means in terms of text in 2401bis.

--Mark