>> >> Harms, Patrick <[email protected]> wrote: >>> - is allowing to add 'spokes' without configuration changes on the 'hub' >>> devices (8.1 dmvpn draft) >> >>> For me, this is an important point. Changing the configuration on the >>> hub routers, everytime a spoke is added to the network, would make >>> the rollout process to complex and is a possible source of failures. >> >> I don't see how you can add a spoke in any system without requiring >> some changes to at least one hub and/or the database/LDAP/etc. which >> keeps track of all the spokes. > > 1. You set up a CA > 2. You accept connections from anyone presenting a certificate from that CA > 3. You trust everything they tell you in routing protocols.
Yes, that is one of my ideas. Set up a CA with an auto-enrollment process for the certificates (eg SCEP). Of course, it is very important to have a solid process to handle with certificates, rollouts, stolen devices, operations etc. >As long as only well-behaved spokes get issued certificates, and they never >get compromised, everything is fine. > >>> Based on the theories (advpn draft and dmvpn) and real world >>> experience (dmvpn), I would favor dmvpn, because the handling and >>> operating sounds less complex. (eg. lower amount of steps in tunnel >>> initiation, single logical interface for tunnel termination etc.) >> >> Do you care about mobile (handheld) devices? > >Hey, those are higher-specced than the dual-pentium III at 800MHz with 512 MB >or RAM that we were selling as a high-end gateway when I started working at >Check Point :-) > >Yoav I am on the lucky side, and do not have to care about handheld devices. Patrick Volkswagen Financial Services AG Sitz/Registered seat: Braunschweig Registergericht/Registration court: Amtsgericht Braunschweig HRB Nr./Commercial Register No.: 3790 Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Hans Dieter Pötsch Vorstand/Board of Management: Frank Witter (Vorsitzender/Chairman), Dr. Mario Daberkow, Frank Fiedler, Christiane Hesse, Dr. Michael Reinhart, Lars-Henner Santelmann Wichtiger Hinweis: Die vorgenannten Angaben werden jeder E-Mail automatisch hinzugefügt und lassen keine Rückschlüsse auf den Rechtscharakter der E-Mail zu. Important note: The above information is automatically added to this e-mail. This addition does not constitute a representation that the content of this e-mail is legally relevant and/or is intended to be legally binding upon Volkswagen Financial Services AG. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
