Hi Yoav: > El 18 jul 2017, a las 17:14, Yoav Nir <[email protected]> escribió: > > I mostly agree, but one point… > >> On 18 Jul 2017, at 17:06, Tero Kivinen <[email protected]> wrote: > > <snip/> > >> This I think is important question, i.e., what is the gain for not >> running IKEv2 between the nodes? >> > > Simpler gateway, less code, no PK operations, no need for random number > generator. > > The counter-argument is that without all these you can’t setup a TLS session > to run netconf over.
[Rafa] The argument is the NSF will need this TLS/SSH session with the controller regardless IPsec management. It will need it for routing management, IDS, firewall, management etc… Since that TLS/SSH is already there (regardless IPsec management) we can leverage this. Also the implementation of the NETCONF server is required no matter if we have IPsec management. Therefore if you have case 1 vs case 2 , case 1 still needs the NETCONF server in addition to IKE implementation, case 2 does not. Therefore, as you mention makes the NSF simpler, no doubt. > > Yoav > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec ------------------------------------------------------- Rafa Marin-Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] -------------------------------------------------------
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
