[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is TS agreement necessary?
At 2:58 PM -0800 4/5/02, Kalyan Bade wrote:
> > What does any,any mean in an SAD? How do you differentiate between any,any
>> to peer1, from any,any to peer2? If you use the same interface to go out
>> to peer1 and peer2, and the same SAD is being used for all the SAs on that
>> interface, when there is some data traffic, the traffic will hit all the
>> any,any selectors in the SAD. How do you decide which selector to pick,
>> and hence which peer to send the data to?
>>
>> By having an interoperable agreement of what an any,any selector means,
>> the IPsec peers can probably agree to create a virtual tunnel interface
>> for all any,any selectors, so that routing can differentiate between the
>> any,any tunnels, and route the traffic appropriately. Without making that
>> assumption, if we send an any,any to a peer, then that would probably
>> confuse the peer, and make it send ALL traffic to me (atleast all traffic
>> on that interface).
>
>Agreed. This problem arises only when I have an SPD per interface. From
>a router customer point of view, the customer wants to see IPsec
>tunneling similar to a GRE tunneling and let the forwarding table decide
>what packets should be forwarded to IPsec tunnel. Here, the forwarding
>table is the SPD for me (a global one), not a per interface SPD. Please
>correct me if I misunderstood the whole IPsec concept as it should be
>looked at.
>
>Thanks,
>Kalyan.
RFC 2401 is reasonably clear in noting that the SPD is nominally per
interface. What sort of management interface is provided to a client
is up to the vendor, so long as one can achieve the same effects as a
per-interface SPD. Otherwise, the implementation would not be
compliant.
Steve