I agree: it's not a "hard problem". It's an annoying problem, and the
lack of a dynamic solution causes poor experiences for users.

For a relatively static group of non-moving leaf gateways, even a very
large group, a bit of scripting could generate most of the full mesh
policy, and normal IKEv2 on-demand keying of links would bring up
tunnels as needed.

The reason to have an automatic system is because:
    1) we have mobile nodes that we want to include (roadwarriors)

    2) we have gateways behind NAT that can be hard to find.

    3) we have machines/gateways that have non-transtive authentication
       mechanisms, and it would be very annoying to setup each leaf
       system with a trusted connection to the AAA system for
       authentication.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] [email protected] http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
                       then sign the petition. 

Attachment: pgpVZeVYf8gvb.pgp
Description: PGP signature

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to