In this case we are effectively building an NBMA tunnel cloud. I.e. A bunch of spoke nodes connected to one or more interconnected hubs. Using NHRP to find end-points in order to build the cross tunnels makes sense. Once you have used NHRP to find the endpoint then you can use IKE/IPsec to protect/encrypt the tunnel. This leaves IKE/IPsec the clear roll of protecting the tunnels (data) without having to complicate it with a mechanism to find end-points. You get a clean separation of roles and layers.
Mike. > Sure, Fred, to do what it suppose to do - it works fine. It was/is especially > very useful over ATM and other NBMA clouds. The question here is - what is it > we > are trying to do? > Galina > -----Original Message----- > From: Frederic Detienne [mailto:f...@cisco.com] > Sent: Friday, November 11, 2011 11:59 AM > To: Galina Pildush > Cc: Michael Richardson; ipsec@ietf.org > Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem > NHRP is a generic protocol that converts overlay addresses in any address > family into transport addresses in any address family. The protocol works over > NBMA meaning that it can work over virtually anything (i.e. no exuberant > requirements). > There is a clean layer separation and NHRP does not need to "speak" IPsec as > you say (whatever that means). > fred > On 08 Nov 2011, at 17:18, Galina Pildush wrote: > > > > > > NHRP is a protocol that is used to discover the shortest path through an > > NBMA cloud. It does not, however, "speak" IPSec ... > > > > Galina > > > > -----Original Message----- > > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of > > Michael Richardson > > Sent: Tuesday, November 08, 2011 3:29 PM > > To: Frederic Detienne > > Cc: ipsec@ietf.org > > Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem > > > > > > RFC2332: NBMA Next Hop Resolution Protocol (NHRP) > > > > I think that it is a much better thing to use something like this, than > > invent something new. > > > > -- > > ] He who is tired of Weird Al is tired of life! | > > firewalls [ > > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net > > architect[ > > ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device > > driver[ > > Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> > > then sign the petition. > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec +------------------------------------------------+ | Mike Sullenberger; DSE | | m...@cisco.com .:|:.:|:. | | Customer Advocacy CISCO | +------------------------------------------------+ _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
