: signature: ~/.signature.ietf
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Fri, 01 Nov 2013 16:22:58 -0400
Message-ID: <[email protected]>
Sender: [email protected]
--=-=-=
Content-Transfer-Encoding: quoted-printable
I have read all three proposals, although I missed the Q&A in Berlin.
I am looking forward to further Q&A in Berlin.
When I read the NBMA protocol (DMVPN, I think) version what I saw was a ver=
y brilliant hack=20=20
that managed to take two code bases (IPsec and ATM) that were likely alread=
y present
in that vendor's firmware and connect them. Likely, it took only a few wee=
ks of
brilliant hacking, and it was ready for customer use.
I find that this solution for anyone else involves the most amount of new c=
ode,
and I think it will the most difficult to support on various mobile and lap=
top=20
platforms as it requires new encapsulation modes.
draft-mao-ipsecme is architecturally the closest to me, and I like the ADS =
idea: it
seems that it be implemented without any new kernel code, and I think that =
if we are trying=20
to get remote warrior and branch office RTP traffic to take a more direct r=
oute, then=20
eliminating the need for a more network plumbing, and just doing things in =
IKE is the
right answer. (%)
I don't like having a new protocol: I want it in IKE. While it can and sho=
uld
run inside the tunnel, I don't see why adding a new port to my IKE daemon m=
akes
my life easier.=20=20
I do like the way that DMVPN uses probe packets to discover the end points =
of
the shorter routes, and I would look forward to including that mechanism.=
=20=20
I don't like that DMVPN does not let http traffic continue to travel via HQ=
's
virus/trojan/netnanny while RTP takes the shortcut.
(%)- the plumbing might need a way to sample 5-tuple flows to see if there
is traffic that should be shortcut. However, various schemes to put more
specific SPD entries in that cause key requests might accomplish this witho=
ut=20
new kernel code.
Michael Richardson
=2Don the road-
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAABAgAGBQJSdA2iAAoJEKD0KQ7Gj3P2TSgIAKstL3ktU0yg18WbKEcLAZgo
Jk1+kz3uhCVJFPp4xv/yTK7EoLzfLmkq8j9WxOWVUCf6wQwoPVEt3MbVYfmlF2Tb
5fq7+olrzPJbjZDZ6zxMB6M8Em8vhT8SufDlSEpOqXOHsVpok3ptkGJrbAKKLfIK
QY3CD72yXiaB2OP3mL1DpGc+QRynFiZ5YKzeA9hxo9KzEHdifCsj4tm87OYLGrsZ
vnPJXKsxh4fpgP4jpNPRHj+J5YKpLKPqXLAs9LHLpN4ylzmirKSbGZhynxrb7Agr
fqhc9ICcFubyjQO8E0eHU4Vu9P+p/shE21nMANiikffyLd16PJvZ2U45ollKEEY=
=JGZg
-----END PGP SIGNATURE-----
--=-=-=--
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
