On Tue, 3 Dec 2013, Yaron Sheffer wrote:
There is clear working group interest in a standard auto-discovery VPN solution.
We have agreed-upon requirements [1].
I was unfortunately not really active during the requirements phase. While I believe there is a need for auto-discovery without preconfiguration, I do not think the current ideas of merging site-to-site based VPNs using ADVPN proposals really increases security. It seems a compromise for convenience at the expense of the intended security of IPsec, and a continued trend from strict policy range based VPNs to loose routing based VPNs, reducing IPsec to a virtual private untrusted ethernet cable. I think draft-sathyanarayan-ipsecme-advpn-03 comes closest to removing any kind of routing decisions from the IKE/IPsec protocols, leaving the IPsec subsystem as a consumer of the routing decisions made elsewhere. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
