On 06 Nov 2013, at 19:10, Michael Richardson <[email protected]> wrote:
> > Manish Kumar (manishkr) <[email protected]> wrote: >> NHRP is used to resolve the remote peer which serves/owns the address >> we're >> interested in. The information in this resolution culminates in the >> creation of >> SPD. > > I think your description is not quite precise enough for SK; so I want to > restate this for the list, even though we discussed this at the meeting. > > The result of the NHRP (which runs inside the GRE/IPsec tunnels) creates a > new GRE/IPsec SPD to connect the spokes that have the remote peers. > > The SPD that gets created does not mention the remote peers, that part is > done in the routing algorithm. this is another way of doing it. Technically, we create a full fledged SA (protecting GRE hostA hostB) but the selection of the remote host is done before the SPD lookup. We first determine the host (forwarding algorithm) and then we pass the packet to the SA for that specific host. I think Yoav's view of calling is a PAD more accurately describes our implementation but we do not mandate an implementation. thx, fred > -- > Michael Richardson <[email protected]>, Sandelman Software Works > > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
