Geoffrey == Geoffrey Huang ghu...@juniper.net writes:
Geoffrey My initial inclination is to say that won't fly: that many
Geoffrey deployments still require preshared key authentication.
Geoffrey Rather, they would object to certificates because of
Geoffrey perceived complexity.
On Mar 26, 2012, at 9:52 AM, Michael Richardson wrote:
Geoffrey == Geoffrey Huang ghu...@juniper.net writes:
Geoffrey My initial inclination is to say that won't fly: that many
Geoffrey deployments still require preshared key authentication.
Geoffrey Rather, they would object to
I agree: it's not a hard problem. It's an annoying problem, and the
lack of a dynamic solution causes poor experiences for users.
For a relatively static group of non-moving leaf gateways, even a very
large group, a bit of scripting could generate most of the full mesh
policy, and normal IKEv2
Yoav == Yoav Nir y...@checkpoint.com writes:
Yoav direct endpoint-to-endpoint connectivity may not be possible
Yoav if both endpoints are NATed
Yoav Why? There are several protocols (SIP/RTP come to mind) that
Yoav manage endpoint-to-endpoint connectivity even when both are
Stephen == Stephen Hanna sha...@juniper.net writes:
Stephen I think that Michael is asking an important question. There
Stephen are many ways to solve the P2P VPN problem. One way is to
Stephen have satellites with little configuration that connect to
Stephen core gateways with
{fat fingers let previous email got away too soon, ignore}
Stephen == Stephen Hanna sha...@juniper.net writes:
Stephen I think that Michael is asking an important question. There
Stephen are many ways to solve the P2P VPN problem. One way is to
Stephen have satellites with little
Stephen == Stephen Hanna sha...@juniper.net writes:
Stephen #215: Should traffic flow through the gateway while a
Stephen shortcut is being
Stephen established?
Yes.
No traffic should be delayed or dropped if it can be delivered.
This entire system is an optional *optimization*!
I think that whenever a node moves from the point of view of it's
primary connection, that it should tear down all auxiliary tunnels.
Due to the movement of the node, it may be impossible to communicate
with the end-points of the auxiliary tunnels (due to NAT restricted-cone
at one end or the
Vishwas == Vishwas Manral vishwas.i...@gmail.com writes:
Vishwas Branch routers have 3G/ 4G interfaces as backups for the
Vishwas primary interface
Vishwas and sometimes even multiple 3G/ 4G interfaces with no wired
Vishwas interface at
Vishwas all to the backend.
Vishwas,
On Mar 26, 2012, at 10:47 AM, Michael Richardson wrote:
Yaron == Yaron Sheffer yaronf.i...@gmail.com writes:
Yaron I don't want to speak for MCR, but I think you are taking his
Yaron question too far towards the implementation aspects. What I
Yaron read in the question is, do we
I also support the draft
Daniel
On Tue, Mar 6, 2012 at 5:37 AM, Paul Hoffman paul.hoff...@vpnc.org wrote:
On Mar 5, 2012, at 3:26 AM, Tero Kivinen wrote:
I just posted following document. I think I would like to get few
minutes in Paris to explain this document, and see wheter there is any
Yoav == Yoav Nir y...@checkpoint.com writes:
You didn't take my comments too far; I think you realized that I was in
fact saying two things:
1) when traffic is redirected, MUST it be redirected directly to the
real endpoint? (There might be issues of in-band double NAT
I agree.
-Vishwas
On Mon, Mar 26, 2012 at 1:12 AM, Michael Richardson
mcr+i...@sandelman.cawrote:
I agree: it's not a hard problem. It's an annoying problem, and the
lack of a dynamic solution causes poor experiences for users.
For a relatively static group of non-moving leaf gateways,
My understanding is that there are two things, that may be considered
independently:
- configuring IPsec layer
- defining which route the communication should take
I don't understand why only one tunnel should be used. A mobile node, when
it detects a new interface, should be able to add
Daniel Migault writes:
My understanding is that there are two things, that may be considered
independently:
- configuring IPsec layer
- defining which route the communication should take
I don't understand why only one tunnel should be used. A mobile node, when
it detects a new
Hi
This is about my presentation from the IPsecME meeting today (which for some
reason is not on the website)
Anyways, RFC 5266 mentions that RFC 4306 must be updated to carry ERP
messages. This caused some controversy a year ago, but regardless, I did think
of a use case, so I partnered with
On Mar 26, 2012, at 6:43 PM, Tero Kivinen wrote:
Yoav Nir writes:
This is about my presentation from the IPsecME meeting today (which
for some reason is not on the website)
Anyways, RFC 5266 mentions that RFC 4306 must be updated to carry
ERP messages. This caused some controversy a year
Geoffrey Huang writes:
It's starting to sound like existing methods, to be sure. I'm skeptical
of introducing yet another form of authentication. This would add to the
complexity of the overall system. To frame it in terms of a requirement,
I propose that any leaf-to-leaf communication has
18 matches
Mail list logo