Dave, Ali,

When a PE-A has multiple IPsec tunnels with another PE (PE-B), some are per WAN 
port, some are per subnet or per tenant,  are the policy-list & DH-group-list 
specific to one IPsec tunnel or to all the IPsec tunnels terminated at the 
PE-A?  For example PE-A has PE based IPsec tunnel with PE-B, tenant based IPsec 
tunnel with PE-C, WAN port based IPsec with PE-D, does PE-A have different 
DH-group-list for different IPsec tunnels?

Thanks, Linda

From: Linda Dunbar
Sent: Friday, January 18, 2019 11:48 AM
To: 'draft-sajassi-bess-secure-e...@ietf.org' 
<draft-sajassi-bess-secure-e...@ietf.org>; bess@ietf.org
Cc: 'Ali Sajassi (sajassi)' <saja...@cisco.com>
Subject: Comments to draft-sajassi-bess-secure-evpn-00

Ali, et al,

One of the requirement you stated in the document is (under the section 2.3)

   "1) Per pair of PEs: A single IPsec tunnel between a pair of PEs to be used 
for all tenants' traffic supported by the pair of PEs."

Assuming that the solution is intended for SD-WAN.  The SD-WAN edge nodes 
usually have some ports connected to trusted domain (e.g. MPLS network) which 
doesn't need IPsec tunnel, and some ports connected to untrusted domain (e.g. 
Internet) which needs IPsec tunnel. Therefore, for PE based IPsec tunnel, it is 
necessary to associate the WAN ports (facing untrusted domain) with the IPsec 

Actually, even for other granularity (such as Per tenant, Per Subnet, or per 
IP) IPsec tunnels, it is necessary to associate with the WAN ports as well 
because the trusted domain doesn't need IPsec SA.

Linda Dunbar

BESS mailing list

Reply via email to