On 11/28/2011 04:31 PM, Michael Ko wrote:
To establish a secure connection between two authorized network nodes, some of the critical management tasks that are required include the following: 1. Discover if the network nodes that a user is authorized to access are currently online and active. (One can always resort to timeouts to determine if the peer is online or not, but being able to ascertain the status of the peer quickly would be nice.) 2. Discover the functional attributes associated with these authorized network nodes. 3. Discover the location of the authorized network nodes. (E.g., current IP address) 4. Determine if accessing the network node requires going through a relay (e.g., TURN). Discover the location of the relay if it is needed. 5. Determine the parameters needed to establish a secure connection between the two network nodes. 6. Discover, via inquiry or advertisement, other authorized network nodes as they become active and available. If we use the hub as the entity to provide this "discovery" function, then the statement "hubs can receive information from the spokes about what addresses the spoke gateways protect" comes closest to meeting the requirment, although the information to be "discovered" include the above list and goes beyond just addresses.
Could you go into more detail about what you mean by "user" here, and what "authorized" means? Are you going out and querying an authorization system? Are you expecting that a pile of attributes is going to be returned as the result of an authentication? Is a "user" some sort of authenticated credential, or something along the lines of an NAI, or an IP address, or ... ? Melinda _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
