Ali, et al, One of the requirement you stated in the document is (under the section 2.3)
"1) Per pair of PEs: A single IPsec tunnel between a pair of PEs to be used for all tenants' traffic supported by the pair of PEs." Assuming that the solution is intended for SD-WAN. The SD-WAN edge nodes usually have some ports connected to trusted domain (e.g. MPLS network) which doesn't need IPsec tunnel, and some ports connected to untrusted domain (e.g. Internet) which needs IPsec tunnel. Therefore, for PE based IPsec tunnel, it is necessary to associate the WAN ports (facing untrusted domain) with the IPsec tunnels. Actually, even for other granularity (such as Per tenant, Per Subnet, or per IP) IPsec tunnels, it is necessary to associate with the WAN ports as well because the trusted domain doesn't need IPsec SA. Linda Dunbar
_______________________________________________ BESS mailing list BESS@ietf.org https://www.ietf.org/mailman/listinfo/bess