Hi Sowmini: > El 14 jul 2016, a las 15:24, Sowmini Varadhan <[email protected]> > escribió: > > On (07/12/16 13:09), Rafa Marin Lopez wrote: >> >> What do you think? > > The distinction between "case 1" and "case 2" seems to be about whether > IKE is done in the NSF, or not.
[Rafa] Correct. > In all cases the sad/spd etc has > to be in the NSF. [Rafa] Correct. > Might help to make that clear (and then elaborate > on the various permutations of the "or not" bit). [Rafa] Thanks for the suggestion. > >>>> One question about the block diagram above (and also applies to >>>> Case 2)- will the "Security Controller" and NSF both use the same >>>> src IP address for the purposes of IKE negotiation? >> >> [Rafa] In general, there won’t be IKE negotiation except in Fig. 8. So >> focusing in Fig. 8, I think they may use same IP address. Also that >> possibility may be considered if IKE is used as west/east interface. > > Reason that I asked this question is that if IKE is done outside > the NSF, then the entity doing IKE may be constrained to use the > same src addr as the NSF (I havent checked into all the requirements > around IKE here) and this may be something that needs some care. [Rafa] Ah, ok. It seems reasonable to think that the end user will require to see the IKE packet coming from the same IP address (same IKE responder). In a typical scenario involving a controller I do not see a real problem here. The controller could build a UDP packet with the IKE message from the information sent by the NSF and pass that to the NSF so it can forward it to the end user. In any case, I agree with you that this is one of the most complicated scenarios and needs some care. > >>>> Another area that might need some discussion is the case of >>>> NSF migration- there may be some performance considerations >>>> when IKE is implemented outside the NSF, and there is NSF migration. >> >> [Rafa] This is an interesting scenario we can explore. In the >> migration … you consider the case where the NSF is migrated under >> another controller, no? > > correct. [Rafa] Understood. We can definitely discuss about this scenario (even a simpler case when the NSF is migrated under another network (so change of IP address) even under the same controller. Thank you for the comments. We will try to reflect them in the next revision of the I-D. > > --Sowmini > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] ------------------------------------------------------- _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
