[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 68 ("VPNs with overlapping IP address ranges")

Good enough.

In message <>, Mark Duffy writes:
>Here in response to the solicitation is a proposed text re multiple context 
>support in 2401bis:
>      IPsec devices supporting services such as: security gateway for 
>multiple subscribers, IPsec-protected tunnel links for overlay networks, 
>etc. MAY implement multiple separate IPsec contexts.  These contexts MAY 
>have and use completely independent identities, policies, key management 
>SAs, and/or IPsec SAs.  This is for the most part a local implementation 
>matter.  However, a means for associating inbound proposals with local 
>contexts is required.  To this end, if supported by the key management 
>protocol in use, context identifiers MAY be conveyed from initiator to 
>responder in the signalling messages, with the result that IPsec SAs are 
>created with a binding to a particular context.
>At 12:55 PM 10/14/2003 -0400, Angelos D. Keromytis wrote:
>>We discussed this issue in our weekly telecon...it appears that there are two
>>separate, but connected issues here:
>>a) Some kind of IKE notification to inform the SG which subscriber the
>>    wants to talk to; this is something that should be resolved in IKEv2, mos
>>    likely as an additional document.
>>b) Support in the IPsec stack (meaning 2401bis text) for the notion of
>>    subscribers. This part is applicable to 2401bis and thus to this 
>> issue. How
>>    it is implemented should be left to the individual implementations. There
>>    may be some merrit in including a paragraph in 2401bis mentioning the 
>> issue;
>>    so:
>>     We solicit 1 paragraph describing the issue and the possibilities for
>>     implementing it, to be included in 2401bis. If such a paragraph does not
>>     materialize in a week (by our next telecon), we will simply drop the 
>> issue.