I've also read both documents. Yoav Nir <[email protected]> wrote: > itself). To my mind a VPN is not an NBMA, but that does not mean an > NBMA cannot serve as a good model for a VPN.
I agree. I like the idea of thinking of it as an NBMA, but not the idea of
using the layer-2 protocol *directly*. It is clearly a quick (but
Brilliant!) hack inside IOS to reuse some layer-2 ATM code over a WAN.
I also do not like the lack of policy control that GRE/IPsec implies,
specifically it directly leads to LPM only routing, and your comment:
> natural progression from hub&spoke to mesh. There doesn't seem to be a
> place for policy on whether a shortcut should or should not be
> established.
This is really a direct result.
It's not clear to me what prevents parts of the mesh from impersonating other
parts, etc.
======
I also read: draft-mao-ipsecme-ad-vpn-protocol and while conceptually I found
it okay, I think that the protocol should be inside IKE.
--
Michael Richardson <[email protected]>, Sandelman Software Works
pgprjsXLRvFmf.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
