[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue 68 ("VPNs with overlapping IP address ranges")
At 14:50 -0400 10/14/03, Angelos D. Keromytis wrote:
In message <>, Stephen Kent writes:
Still, I am a bit concerned by this characterization. Having looked
at the traffic on this issue, I did not see a clear description of
how two implementations would signal the necessary info in a standard
fashion. So I think that topic 1, the IKEv2 extension, will be
It may be critical, but it certainly isn't part of 2401bis. There is also some
apparent confusion as to what exactly is needed (some people talking about
Phase1 IDs for authentication, others about Subscriber IDs, and so on).
I think it will be critical for a standard, interoperable solution
for PPVPNs. However, since we have yet to agree on exactly what is
needed, and we are not putting this in IKEv2 now, it is not something
that needs to be in 2401bis, as you said.
As for item 2 above, we think it is appropriate to discuss this issue
and I thought we had proposed text to that effect. That text noted
that it was a local matter as to how one took traffic from multiple
subscribers and mapped it to the right SPD, but one has to discuss
this as part of the overall processing model, to ensure that the
model is clear and as comp;lete as possible.
There wasn't proposed text as such, just indications as to what might be
included (items 1 and 2 in the issue description). As to the
(a) is certainly acceptable, but (b) and (c) seem outside the scope of 2401bis
(suggesting use of NAT!)
Telling folks what has to be done to make this work is within the
scope of 2401bis, even if (heaven forbid!) NAT is needed. We
discussed this with people who make these products and the feedback
we got is consistent with the proposal.