On Fri, Oct 4, 2013 at 5:21 AM, Yoav Nir <y...@checkpoint.com> wrote: > > On Oct 3, 2013, at 4:57 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: >> >> >> I also read: draft-mao-ipsecme-ad-vpn-protocol and while conceptually I found >> it okay, I think that the protocol should be inside IKE. > > Funny, I came to the opposite conclusion. I think it's too much like IKE. > > But actually, this should be split in two. > > ADC to ADC communications, like the REDIRECT and SESSION could easily run > over an Informational exchange in IKE.
[Toby]: Yes, it may be, but I think the ADVPN protocol should be a seperate and complete protocol, thus it is better not to extend IKE protocol, it can be protected by IKE/IPsec protocol. > > But the ADC to ADS communications are, to quote section 1.1, "a client and > server protocol". And there is no reason to assume that the ADS can even do > IKE - it's a controller. So I think those parts of the protocol could be done > in a web service. > > But, why am I designing someone else's proposal? > [Toby]: For ADVPN solution, the main goal of ADVPN protocol is to discover IPsec peer neighbor on demand and establish a shortcut tunnel. To find the shortcut path efficiently, It maintains the private network information and private/public address. It is different with IKE protocol, so it can be a totally new protocol. > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec