On (07/12/16 13:09), Rafa Marin Lopez wrote: > > What do you think? The distinction between "case 1" and "case 2" seems to be about whether IKE is done in the NSF, or not. In all cases the sad/spd etc has to be in the NSF. Might help to make that clear (and then elaborate on the various permutations of the "or not" bit).
> >> One question about the block diagram above (and also applies to > >> Case 2)- will the "Security Controller" and NSF both use the same > >> src IP address for the purposes of IKE negotiation? > > [Rafa] In general, there won’t be IKE negotiation except in Fig. 8. So > focusing in Fig. 8, I think they may use same IP address. Also that > possibility may be considered if IKE is used as west/east interface. Reason that I asked this question is that if IKE is done outside the NSF, then the entity doing IKE may be constrained to use the same src addr as the NSF (I havent checked into all the requirements around IKE here) and this may be something that needs some care. > >> Another area that might need some discussion is the case of > >> NSF migration- there may be some performance considerations > >> when IKE is implemented outside the NSF, and there is NSF migration. > > [Rafa] This is an interesting scenario we can explore. In the > migration … you consider the case where the NSF is migrated under > another controller, no? correct. --Sowmini _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
