Dave, Ali, When a PE-A has multiple IPsec tunnels with another PE (PE-B), some are per WAN port, some are per subnet or per tenant, are the policy-list & DH-group-list specific to one IPsec tunnel or to all the IPsec tunnels terminated at the PE-A? For example PE-A has PE based IPsec tunnel with PE-B, tenant based IPsec tunnel with PE-C, WAN port based IPsec with PE-D, does PE-A have different DH-group-list for different IPsec tunnels?
Thanks, Linda From: Linda Dunbar Sent: Friday, January 18, 2019 11:48 AM To: '[email protected]' <[email protected]>; [email protected] Cc: 'Ali Sajassi (sajassi)' <[email protected]> Subject: Comments to draft-sajassi-bess-secure-evpn-00 Ali, et al, One of the requirement you stated in the document is (under the section 2.3) "1) Per pair of PEs: A single IPsec tunnel between a pair of PEs to be used for all tenants' traffic supported by the pair of PEs." Assuming that the solution is intended for SD-WAN. The SD-WAN edge nodes usually have some ports connected to trusted domain (e.g. MPLS network) which doesn't need IPsec tunnel, and some ports connected to untrusted domain (e.g. Internet) which needs IPsec tunnel. Therefore, for PE based IPsec tunnel, it is necessary to associate the WAN ports (facing untrusted domain) with the IPsec tunnels. Actually, even for other granularity (such as Per tenant, Per Subnet, or per IP) IPsec tunnels, it is necessary to associate with the WAN ports as well because the trusted domain doesn't need IPsec SA. Linda Dunbar
_______________________________________________ BESS mailing list [email protected] https://www.ietf.org/mailman/listinfo/bess
