Panwei \(William\) <william.panwei=40huawei....@dmarc.ietf.org> wrote:
> At yesterday's meeting, I think people basically understood and
> accepted the problem statement itself, but also raised different ideas
> regarding to the solutions. We'll try to do more analysis and
> comparison of possible solutions, including what you suggested.
I think that one thing that is unclear to me is whether the different RANs
can tolerate that all the different traffic share the same *IKE* SA.
The next level is whether or not they can tolerate being in the same CHILD
SA. We could put the "VPN ID" at another layer (inside the common tunnel),
such as some kind of L3VPN, GRE, VXLAN.
> we'd like to know more if it's OK. Switching to a new protocol is
> still a reasonable solution for us, although it has pains. Developing
> a new protocol in IETF will cost time, we'd like to adopt the new
> protocol after it's standardized. But we need to solve our problem
I don't think you need any new protocols, but maybe new ways to combine
existing protocols. For instance, some IKEv2 support for configuring VXLAN.
But, this depends upon the *security* and traffic isolation that you need.
For instance, do you have issues of traffic accounting between the RANs that
occurs on the outside (ESP) packets.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
