This works if there is only one Hub in the network. Scenario where multiple hubs in hierarchy or multiple Hub's that don't have hierarchical relation, this will not work. -- Praveen ________________________________________ From: Tero Kivinen [[email protected]] Sent: Saturday, March 24, 2012 3:04 AM To: Praveen Sathyanarayan Cc: Yaron Sheffer; Geoffrey Huang; [email protected]; Stephen Hanna Subject: Re: [IPsec] [ipsecme] #217: Temporary credentials
Praveen Sathyanarayan writes: > Yes. If certificate based authentication was used in the network, there is > no need of new credentials. But if pre-shared key based was used, then we > need this "temporary credentials". Also, it is required to define the > lifetime of this "temporary credentials". For example, if tunnel between > spokes are stays beyond lifetime of SA, then can the same "temporary > credentials" can be used for rekey? Or new "temporary credentials" should > be received from Hub? That starts to sound like certificates... One of the ways to do this is to always use certificates in the on-demand direct vpn connections. I.e if the peer A normally authenticates itself with PSK to the hub, it would then create private key, give it to the hub, which would sign it with hub-only configuration trust anchor, and then other peers could use that key. Or another way would be to use raw public keys, but then we do not have the things like validity periods etc. As X.509 certificate authentication support is already MANDATORY to support in all implementations, that could be the easiest way forward. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
