RE: Is TS agreement necessary?

["Rajesh Mohan" <Rajesh.Mohan@nexsi.com>]

Hi Bill,


> -----Original Message-----
> From: Bill Sommerfeld [mailto:sommerfeld@east.sun.com]
> Sent: Wednesday, April 03, 2002 12:14 PM
> To: Rajesh Mohan
> Cc: Scott G. Kelly; Mike Ditto; ipsec@lists.tislabs.com
> Subject: Re: Is TS agreement necessary? 
> 
> 
> > In my case, on the sender side, I would decide on a tunnel based on
> > VLAN ID or the port from which the packet was received. The
> > selectors in IPSec makes it less flexible for applications like
> > these.
> 
> So, that sounds like it's accomodated by "different SPD per inbound
> interface", which is what 2401 tells you to do..
> 

I guess I missed this out. But still, I think having selectors in IPSec is not required in some cases. Let me try to justify it using another example.


Say, we have this special box made to be used in data centers. We have regular IPSec complaint box in corporate network. It will be convenient for the administrator at data center to tunnel all traffic of a particular VLAN to the corporate network. He does not care what network is at the remote end. On the other end, the corporate administrator has well defined selectors for the tunnel to the cage.

In this unsymmetric setup, having no selectors at IPSec (and a way to negotiate this in IKEv2) is useful.

Thanks,
-Rajesh M









> 						- Bill
>