On 8/14/13 4:00 AM, Zu Qiang wrote: > This has a requirement that each VN must have a > different keys. In a large data center, the number of VN can be huge. > Therefore it may be a problem at key management. Of cause there is no > technology issue when generating that amount of security keys. However, > it is going to be hard for key management. So my proposal is that we > shall allow a group key to be used for a group of VNs, in order to > optimize the key management function.
I think group keys/group keying ought to be used more often, but it only makes sense in those cases where it would be "correct" to pool group members. I don't think that's always the case in a large data center in which you've got multiple tenants or multiple administrative domains within one tenant, or at least you'd need one or more group per tenant or administrative entity. I think it would be worth writing this up and looking more closely at the question of where it makes sense to share a group key and where it does not. Melinda _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
