David and Brian, In your draft, you assumed that Devices (e.g. A or B) sends its Public key to the Controller.
In some SD-WAN deployment, Controller manages & distributes the "Public key" and "nonce" to each device to achieve Zero Touch Provisioning. Can you update the Figure 2 to reflect "Controller" sending "public key to devices"? Since this document is about Controller managed IKE, can we have a section on recommendation of which attributes of IPsec are suitable to be distributed by Controller? For example, - PAD (Peer Authentication Database) can be maintained by Controller for deployment of devices with constraint resource - Public key & nonce managed by Controller The Rekey process in Section 4 describes some occasions with a device having 2 or 4 SAs for each Peer (Section 4.2). Does it mean the receiving node has to use two different decryption keys? How does the receiving node know which one the sender actually used? The entire Section 4 description is no different from scenario of two peers' direct communication (i.e. without Controller being present), is it correct? Thank you very much Linda Dunbar
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
