Yoav Nir <y...@checkpoint.com> wrote:
    >> I also read: draft-mao-ipsecme-ad-vpn-protocol and while conceptually
    >> I found it okay, I think that the protocol should be inside IKE.

    > Funny, I came to the opposite conclusion. I think it's too much like
    > IKE.

    > But actually, this should be split in two.

    > ADC to ADC communications, like the REDIRECT and SESSION could easily
    > run over an Informational exchange in IKE.

I agree.

    > But the ADC to ADS communications are, to quote section 1.1, "a client
    > and server protocol". And there is no reason to assume that the ADS can
    > even do IKE - it's a controller. So I think those parts of the protocol
    > could be done in a web service.

I think that the right model to think about here is EAP, IKE, Radius.

I think that the much of the ADC<->ADS protocol is EAP-like in nature.
I think that it should be carried in IKE, much like EAP is, to a hub.
The Hubs (which are small in number, and are well managed) would speak carry
ADVPN in PROTOCOL X, to the ADS.

Protocol X may well be TCP over IPsec, or just TCP, or maybe it's RESTful 
HTTP(s).

I don't think it matters a hoot if the ADS can do IPsec. It's IKE.
IKE is a UDP based protocol, and if you remove the IPsec requirement, it's
just another deamon.

It is the *HUB* and the *SPOKES* where I think one wants to remove as many
moving parts as possible, and in particular, remove any additional
firewall/policy complexity.

--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works


Attachment: pgpVWfCcMCDZL.pgp
Description: PGP signature

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to