Re: Is TS agreement necessary?

[Stephen Kent <kent@bbn.com>]

At 2:58 PM -0800 4/5/02, Kalyan Bade wrote:
>  > What does any,any mean in an SAD? How do you differentiate between any,any
>>  to peer1, from any,any to peer2? If you use the same interface to go out
>>  to peer1 and peer2, and the same SAD is being used for all the SAs on that
>>  interface, when there is some data traffic, the traffic will hit all the
>>  any,any selectors in the SAD. How do you decide which selector to pick,
>>  and hence which peer to send the data to?
>>
>>  By having an interoperable agreement of what an any,any selector means,
>>  the IPsec peers can probably agree to create a virtual tunnel interface
>>  for all any,any selectors, so that routing can differentiate between the
>>  any,any tunnels, and route the traffic appropriately. Without making that
>>  assumption, if we send an any,any to a peer, then that would probably
>>  confuse the peer, and make it send ALL traffic to me (atleast all traffic
>>  on that interface).
>
>Agreed. This problem arises only when I have an SPD per interface. From
>a router customer point of view, the customer wants to see IPsec
>tunneling similar to a GRE tunneling and let the forwarding table decide
>what packets should be forwarded to IPsec tunnel. Here, the forwarding
>table is the SPD for me (a global one), not a per interface SPD. Please
>correct me if I misunderstood the whole IPsec concept as it should be
>looked at.
>
>Thanks,
>Kalyan.

RFC 2401 is reasonably clear in noting that the SPD is nominally per 
interface. What sort of management interface is provided to a client 
is up to the vendor, so long as one can achieve the same effects as a 
per-interface SPD.  Otherwise, the implementation would not be 
compliant.

Steve