I agree: it's not a "hard problem". It's an annoying problem, and the lack of a dynamic solution causes poor experiences for users.
For a relatively static group of non-moving leaf gateways, even a very
large group, a bit of scripting could generate most of the full mesh
policy, and normal IKEv2 on-demand keying of links would bring up
tunnels as needed.
The reason to have an automatic system is because:
1) we have mobile nodes that we want to include (roadwarriors)
2) we have gateways behind NAT that can be hard to find.
3) we have machines/gateways that have non-transtive authentication
mechanisms, and it would be very annoying to setup each leaf
system with a trusted connection to the AAA system for
authentication.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] [email protected] http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
pgpVZeVYf8gvb.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
