On Thu, 14 Sep 2017, Mike Sullenberger (mls) wrote:
If you want to securely encrypt traffic between endpoints then you are going to need to build point-point encrypted tunnels between these endpoints, this is the main reason that SD-WAN implementations use either a full-mesh or dynamic-mesh of point-point tunnels. If you rely on a multi-point connection model then you end up using a group key encryption model which is less secure (many customers will not accept using group keys).
See also Opportunistic IPsec, which is a way of creating a mesh with IPsec using some kind of central (X.509) or decentral (DNSSEC) authentication. See: https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec_using_LetsEncrypt http://events.linuxfoundation.org/sites/events/files/slides/LinuxSecuritySummit-2016-OE-16x9.pdf https://docs.openshift.com/container-platform/3.5/admin_guide/ipsec.html https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html/cluster_administration/admin-guide-ipsec Paul _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
