> > 1.2 What happens when a prefix administratively changes from behind one > branch to another ? How do servers get notified about that ? > > [PRAVEEN] That’s an interesting point Fred, and thanks for bringing it up. > First, please refer the ADVPN_INFO Payload and PROTECTED_DOMAIN sections (3.6 > and 3.9, respectively) of > http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03. As a general > rule, each spoke can download updated PROTECTED_DOMAIN information > periodically, which advertises everything behind the hub and all other spokes > combined. Of course, this does not change if some subnet has moved from > behind spoke A to behind another spoke, B. However, the Lifetime attribute of > the ADVPN_INFO payload is key here. We could see this being employed in a > straightforward manner to allow for this transition: a) the subnet can > "disappear" and be unreachable for one Lifetime, or b) the original spoke can > redirect to the new spoke.
It turns out I did read those sections and this is exactly what surprised me. Your answer is even more surprising. Before going any further, is this resource exclusively exchanged between hub & spoke or also between spokes ? thanks, fred _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec