Paul, If we need to use IPsec tunnels to connect a group of CPE devices, (as shown in the figure I sent earlier), do you still need DNS? Or the Key management will be managed by the "Zero Touch Deployment Service" in the figure below?
Thanks, Linda -----Original Message----- From: Paul Wouters [mailto:p...@nohats.ca] Sent: Thursday, September 14, 2017 1:25 PM To: Mike Sullenberger (mls) <m...@cisco.com> Cc: Linda Dunbar <linda.dun...@huawei.com>; i2nsf@ietf.org; IPsecME WG <ip...@ietf.org>; Yoav Nir <ynir.i...@gmail.com> Subject: Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is. On Thu, 14 Sep 2017, Mike Sullenberger (mls) wrote: > If you want to securely encrypt traffic between endpoints then you are > going to need to build point-point encrypted tunnels between these > endpoints, this is the main reason that SD-WAN implementations use > either a full-mesh or dynamic-mesh of point-point tunnels. If you rely on a > multi-point connection model then you end up using a group key encryption > model which is less secure (many customers will not accept using group keys). See also Opportunistic IPsec, which is a way of creating a mesh with IPsec using some kind of central (X.509) or decentral (DNSSEC) authentication. See: https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec_using_LetsEncrypt http://events.linuxfoundation.org/sites/events/files/slides/LinuxSecuritySummit-2016-OE-16x9.pdf https://docs.openshift.com/container-platform/3.5/admin_guide/ipsec.html https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html/cluster_administration/admin-guide-ipsec Paul
_______________________________________________ I2nsf mailing list I2nsf@ietf.org https://www.ietf.org/mailman/listinfo/i2nsf