On 03 Feb 2014, at 16:28, Yoav Nir <[email protected]> wrote:
> […]
> The missing piece here is the propagation of the union protected domain
> information among all the 1st tier nodes. This is fairly simple in a single
> enterprise network where such nodes are managed centrally. I can also see how
> in more heterogenous environments routing protocols could be used. Or the WG
> can develop some new mechanism (although I don't think that's a good idea). I
> think this is more useful than requiring 2nd tier [1] devices to participate
> in routing protocols.
this is precisely one of the major complains against draft-sathyanarayan. It
translates into multiple forms at various levels.
Some things can work in some use cases but it forever needs development for
other use cases. The changes between v0 and v3 are significant and they will
keep augmenting.
We can no longer call that a simple solution. There are pieces that meet some
of the requirements but are in contradiction with others.
Similarly, draft-sathyanarayan offers multiple implementation or deployment
systems (policy based or tunnel based) which are not compatible at protocol
level. It means implementations have to cover BOTH methods to guarantee
interoperability.
To take a practical example: one domain may initially be rule based, the other
tunnel based. What happens when those domains must now cooperate ?
Both issues above will prevent proper cross-domain interoperability. In
particular, a "policy-based" spoke will not be able to talk to a "tunnel based"
hub as per this draft… it would take a decision as to which is the fallback
mode and a dual implementation on at least one of the devices.
In draft-detienne, the tunnels between the hubs need to support one of the
existing routing protocols (we would recommend BGP for large domains). This
guarantees interoperability end-to-end.
thanks,
fred
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
