Shoichi Sakane writes: > This draft describes a scenario to use IKEv2 for a minimum specification. > The document only allows one side to be a responder.
More correct way is to say, that this document only describes the node which is always the initiator of the communication. > I would like to a little extend it. That means it allows both sides > to be a responder. To be able to act as responder requires to take more features from the full IKEv2, and very soon you are better of with full IKEv2 implementation. For example to be able to act as responder usually means that you need to have some kind of policy decision module, i.e. which when given the identity of the initiator will check whether that peer is allowed to create connections, use specific algorithms, or do other things. In the initiator end it is usually simple, as you simply only offer the things you support, and when you are initiating the connection you already have your policy specified. > Here is an example scenario, in a scenario of smart metering, both a > meter and a server have a power line, but the power consumption > should be lesser as much as possible. The network is lossy. The > resource of the device is typically constrained, for example, memory > or physical size. I would except that the smart meter meter would be the one using implementation like described in draft-kivinen-ipsecme-ikev2-minimal, and the server where that meter connects to needs to support full IKEv2. For example usually there is multiple meters for each server meaning that the server needs to support multiple simultaneous IKEv2 SAs, IPsec SAs, and it needs to do policy lookups based on the identity of the meter device etc. In the server end there is also some features of the IKEv2 which can be left out (for example configuration mode, nat traversal (depending on the network), etc), but in this document I tried to concentrate on the very minimal implementation. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
