Hi authors, In Section 5.2.1, to avoid exposure of other nodes once one node is compromised, key materials for each pair must be different and irreversible, this may cause performance issue with controller with large network during initial setup and rekey.
So, to distribute some of the SA key calculation to each device while still avoiding negotiation latency, the other options is that controller can send common key material to all NSFs, then NSF calculates actual SA key using the common key and known local, peer info. This way, both peers can generate Tx SA and Rx SA without negotiating with each other, also, the keys will be unique for each tunnel. Will you consider this option? Thanks! B.R. Frank
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
