Archive for the ‘Network Protocols’ Category
Extending virtual routing to IKE
August 2nd, 2011
By Yann Rapaport, 6WIND Customer Support and Service Manager.
Virtual Routing and Forwarding allows a router to handle multiple independent instances of a routing table. Therefore a single router can handle overlapping IP addresses and routes, provided that they are in different VRF instances.
This has an impact on all protocols handling interfaces, IP addresses or routes. In the case of IPsec, Security Policies (SPs) and Security Associations (SAs) are extended with VRF information to take into account the VRF of the packets before and after IPsec processing. As a result of this, the IKE protocol, which is responsible for dynamically negotiating SPs and SAs, also handles VRFs.
For performance reasons, 6WIND has extended its IKE daemon to handle multiple VRFs, instead of using one daemon per VRF instance. The IKE daemon’s APIs, configuration interfaces (configuration files and tools, CLI), kernel interface (IKE UDP socket), IKE protocol implementation and test tools have been extended to support VRF identifiers.
We would be happy to hear about your IKE and Virtual Routing use cases. Please don’t hesitate to provide feedback using the comments section.
Posted in 
Tags: 