On Nov 30, 2011, at 5:45 PM, Mike Sullenberger wrote: > It looks to me like this "discovery" ends up being: > > 1. a new end-node securely connecting to a known trusted server (hub) > 2. registering itself (attributes, protected subnets) with the hub > 3a. waiting for another end-node to find it via the hub, because that > end-node has data traffic for it. > 3b. or trying to find another end-node via the hub, because it has > data traffic for it.
That is one way. Another way that has been described would be closer to: 1. An IPsec gateway that knows all of the networks it protects connects to a known trust server (introducer) 2. The gateway registers itself and its protected networks and their policies, or updates what is already there for the gateway. 3. When another gateway asks the introducer how to reach a particular address, the introducer finds the address in the collection and gives the information about that to the gateway. Step 3 would probably be triggered by traffic. OTOH, if we expect the information from the introducer to include a TTL / freshness period, the gateways might poll the introducer for everything it knows on a period basis to reduce the route setup time. --Paul Hoffman _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
