[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 68 ("VPNs with overlapping IP address ranges")



At 12:55 -0400 10/14/03, Angelos D. Keromytis wrote:
We discussed this issue in our weekly telecon...it appears that there are two
separate, but connected issues here:

a) Some kind of IKE notification to inform the SG which subscriber the
initiator
   wants to talk to; this is something that should be resolved in IKEv2, most
   likely as an additional document.

b) Support in the IPsec stack (meaning 2401bis text) for the notion of
different
subscribers. This part is applicable to 2401bis and thus to this issue. How
it is implemented should be left to the individual implementations. There
may be some merrit in including a paragraph in 2401bis mentioning the issue;
so:


We solicit 1 paragraph describing the issue and the possibilities for
implementing it, to be included in 2401bis. If such a paragraph does not
materialize in a week (by our next telecon), we will simply drop the issue.


Cheers,
-Angelos

I just returned from a 2 week trip and am catching up on mail, lots of mail ...


Still, I am a bit concerned by this characterization. Having looked at the traffic on this issue, I did not see a clear description of how two implementations would signal the necessary info in a standard fashion. So I think that topic 1, the IKEv2 extension, will be critical.

As for item 2 above, we think it is appropriate to discuss this issue and I thought we had proposed text to that effect. That text noted that it was a local matter as to how one took traffic from multiple subscribers and mapped it to the right SPD, but one has to discuss this as part of the overall processing model, to ensure that the model is clear and as comp;lete as possible.

Steve