Re: Is TS agreement necessary?

[Kalyan Bade <kalyan@juniper.net>]

> What does any,any mean in an SAD? How do you differentiate between any,any
> to peer1, from any,any to peer2? If you use the same interface to go out
> to peer1 and peer2, and the same SAD is being used for all the SAs on that
> interface, when there is some data traffic, the traffic will hit all the
> any,any selectors in the SAD. How do you decide which selector to pick,
> and hence which peer to send the data to?
> 
> By having an interoperable agreement of what an any,any selector means,
> the IPsec peers can probably agree to create a virtual tunnel interface
> for all any,any selectors, so that routing can differentiate between the
> any,any tunnels, and route the traffic appropriately. Without making that
> assumption, if we send an any,any to a peer, then that would probably
> confuse the peer, and make it send ALL traffic to me (atleast all traffic
> on that interface).

Agreed. This problem arises only when I have an SPD per interface. From
a router customer point of view, the customer wants to see IPsec
tunneling similar to a GRE tunneling and let the forwarding table decide
what packets should be forwarded to IPsec tunnel. Here, the forwarding
table is the SPD for me (a global one), not a per interface SPD. Please
correct me if I misunderstood the whole IPsec concept as it should be
looked at.

Thanks,
Kalyan.