+1 I agree DNSSEC cannot be assumed, its deployments have been marginal.
I also agree with the need of an ad-hoc peer-to-peer VPN bypassing gateways. While there are implementations from multiple vendors, including the one I work for, there is no standardized/scalable solution for the problems associated with these scenarios. Key challenges are: - Discoverability of suitable peers - Discovery of the set of crypto contracts required if allowed I won't be able to attend the IETF meeting in Taiwan, however once the date and time is settled I'll coordinate with someone representing my company to attend the BOF meeting. Thanks Jorge Coronel From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Geoffrey Huang Sent: Wednesday, October 26, 2011 1:19 PM To: ipsec@ietf.org Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem I have to agree with the recent comments about the inapplicability of RFC 4322. I don't think that a DNNSEC infrastructure can be assumed, particularly not in the deployments I have seen. I agree with Steve Hanna's comments about the need for ad-hoc peer-to-peer VPNs, bypassing a centralized hub. I also agree with Paul Hoffman's comments about using an already-existing "trusted introducer." Finally, I will be in Taiwan, but specifically (only) to discuss this topic. I'm hoping that the date of Wednesday, November 16 is still good for the bar BOF that some of us had previously discussed. -geoff
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec