On 05/08/12 22:17, Izaac wrote:
On Tue, May 08, 2012 at 10:46:24PM +0300, Yaron Sheffer wrote:
While Vishwas and Steve are busy working on the next version, feel
free to read and comment on the current version.
In what way is this "problem" not addressed by transport mode, despite
it's being "far less commonly deployed?"
But more generally speaking, what exactly is this document attempting to
accomplish in is present form?
I agree with Izaac.
Furthermore, a lot of the language in the draft is confusing (at least
to me). You talk about point-to-point tunnel creation, but many of your
use cases involve VPNs. Your use cases mostly describe configurations
that are already solved today using existing transport mode IPsec (2.1)
and VPN configurations (2.2 and 2.3). The idea of connecting to the VPN
(section 2.3) gateway closest to a particular destination seems
unworkable. It would be more reasonable, and probably more useful, for
a client to automatically locate the nearest VPN server to itself (that
alone would be an interesting and potentially useful problem).
I think you need to narrow down the scope of the problem statement, and
provide more careful analysis of why current methods are inadequate,
before this draft is going to get you much useful feedback.
As a side note, in general, the challenge in constructing large IPsec
configurations across multiple administrative domains is getting the
"trust relationship" in place to begin with, not the configuration of
IPsec and key management policy.
-John
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
