Is there a mechanism in DNS to communicate this kind of policy? As I understand the example below, the communication from hub-gw to spoke32 would be something like: "to get to 192.168.79.0/24, go to spoke79."
-geoff -----Original Message----- From: m...@sandelman.ca [mailto:m...@sandelman.ca] Sent: Monday, November 07, 2011 10:46 PM To: Yoav Nir Cc: ipsec@ietf.org; Geoffrey Huang; bill manning; Praveen Sathyanarayan Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem >>>>> "Yoav" == Yoav Nir <y...@checkpoint.com> writes: Yoav> I don't see how DNS figures into this. We have three Yoav> gateways: - hub-gw, which knows the protected domains of Yoav> everyone - spoke32, which protects 192.168.32.0/24, knows Yoav> about hub-gw, and sends all 192.168.0.0/16 to hub-gw. - Yoav> spoke79, which protects 192.168.79.0/24, knows about hub-gw, Yoav> and sends all 192.168.0.0/16 to hub-gw >> Yes. And, how is this policy communicated? Yoav> Over IKE? Yoav> Using a new protocol that we'll invent? Yoav> SOAP? Yoav> As an attribute in a certificate, kind of like SIDR? So, okay, so you want to do new work to replace work that's already been well defined, that uses DNS as the transport. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec