On Feb 3, 2014, at 5:02 PM, Michael Richardson <[email protected]> wrote:
> > Harms, Patrick <[email protected]> wrote: >> - is allowing to add 'spokes' without configuration changes on the 'hub' >> devices (8.1 dmvpn draft) > >> For me, this is an important point. Changing the configuration on the hub >> routers, everytime a spoke is added to the network, would make the rollout >> process to complex and is a possible source of failures. > > I don't see how you can add a spoke in any system without requiring some > changes to at least one hub and/or the database/LDAP/etc. which keeps track > of all the spokes. 1. You set up a CA 2. You accept connections from anyone presenting a certificate from that CA 3. You trust everything they tell you in routing protocols. As long as only well-behaved spokes get issued certificates, and they never get compromised, everything is fine. >> Based on the theories (advpn draft and dmvpn) and real world experience >> (dmvpn), I would favor dmvpn, because the handling and operating sounds less >> complex. (eg. lower amount of steps in tunnel initiation, single logical >> interface for tunnel termination etc.) > > Do you care about mobile (handheld) devices? Hey, those are higher-specced than the dual-pentium III at 800MHz with 512 MB or RAM that we were selling as a high-end gateway when I started working at Check Point :-) Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
