[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 68 ("VPNs with overlapping IP address ranges")

At 14:50 -0400 10/14/03, Angelos D. Keromytis wrote:
In message <>, Stephen Kent writes:

Still, I am a bit concerned by this characterization. Having looked at the traffic on this issue, I did not see a clear description of how two implementations would signal the necessary info in a standard fashion. So I think that topic 1, the IKEv2 extension, will be critical.

It may be critical, but it certainly isn't part of 2401bis. There is also some apparent confusion as to what exactly is needed (some people talking about Phase1 IDs for authentication, others about Subscriber IDs, and so on).

I think it will be critical for a standard, interoperable solution for PPVPNs. However, since we have yet to agree on exactly what is needed, and we are not putting this in IKEv2 now, it is not something that needs to be in 2401bis, as you said.

As for item 2 above, we think it is appropriate to discuss this issue
and I thought we had proposed text to that effect.  That text noted
that it was a local matter as to how one took traffic from multiple
subscribers and mapped it to the right SPD, but one has to discuss
this as part of the overall processing model, to ensure that the
model is clear and as comp;lete as possible.

There wasn't proposed text as such, just indications as to what might be
included (items 1 and 2 in the issue description). As to the proposed approach,
(a) is certainly acceptable, but (b) and (c) seem outside the scope of 2401bis
(suggesting use of NAT!)

Telling folks what has to be done to make this work is within the scope of 2401bis, even if (heaven forbid!) NAT is needed. We discussed this with people who make these products and the feedback we got is consistent with the proposal.