Re: Issue 68 ("VPNs with overlapping IP address ranges")

[Stephen Kent <kent@xxxxxxx>]

At 14:50 -0400 10/14/03, Angelos D. Keromytis wrote:
> In message <>, Stephen Kent writes:
> > Still, I am a bit concerned by this characterization. Having looked
> > at the traffic on this issue, I did not see a clear description of
> > how two implementations would signal the necessary info in a standard
> > fashion.  So I think that topic 1, the IKEv2 extension, will be
> > critical.
>
> It may be critical, but it certainly isn't part of 2401bis. There is also some
> apparent confusion as to what exactly is needed (some people talking about
> Phase1 IDs for authentication, others about Subscriber IDs, and so on).

I think it will be critical for a standard, interoperable solution 
for PPVPNs. However, since we have yet to agree on exactly what is 
needed, and we are not putting this in IKEv2 now, it is not something 
that needs to be in 2401bis, as you said.

> > As for item 2 above, we think it is appropriate to discuss this issue
> > and I thought we had proposed text to that effect.  That text noted
> > that it was a local matter as to how one took traffic from multiple
> > subscribers and mapped it to the right SPD, but one has to discuss
> > this as part of the overall processing model, to ensure that the
> > model is clear and as comp;lete as possible.
>
> There wasn't proposed text as such, just indications as to what might be
> included (items 1 and 2 in the issue description). As to the 
> proposed approach,
> (a) is certainly acceptable, but (b) and (c) seem outside the scope of 2401bis
> (suggesting use of NAT!)
> -Angelos

Telling folks what has to be done to make this work is within the 
scope of 2401bis, even if (heaven forbid!) NAT is needed. We 
discussed this with people who make these products and the feedback 
we got is consistent with the proposal.

Steve