Re: [I2nsf] [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

2017-09-19 Thread Michael Richardson
Yoav Nir wrote: >> If you have the ID of entities you connect to (eg a hostname) then >> things are easier to lookup then if you only know and IP address, and are >> then given an ID. Because then you need to somehow verify the ID-IP set. >> Otherwise, one

Re: [I2nsf] [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

2017-09-18 Thread Yoav Nir
Hi, Paul > On 19 Sep 2017, at 1:31, Paul Wouters wrote: > > On Mon, 18 Sep 2017, Linda Dunbar wrote: > >> If we need to use IPsec tunnels to connect a group of CPE devices, (as shown >> in the figure I sent earlier), do you still need DNS? Or the Key >> management will be

Re: [I2nsf] [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

2017-09-18 Thread Linda Dunbar
Paul, If we need to use IPsec tunnels to connect a group of CPE devices, (as shown in the figure I sent earlier), do you still need DNS? Or the Key management will be managed by the "Zero Touch Deployment Service" in the figure below? Thanks, Linda -Original Message- From: Paul

Re: [I2nsf] [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

2017-09-15 Thread Michael Richardson
Paul Wouters wrote: > See also Opportunistic IPsec, which is a way of creating a mesh with > IPsec using some kind of central (X.509) or decentral (DNSSEC) > authentication. See: And it's important to note that the reverse map that is used doesn't have to be the

Re: [I2nsf] [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

2017-09-14 Thread Paul Wouters
On Thu, 14 Sep 2017, Mike Sullenberger (mls) wrote: If you want to securely encrypt traffic between endpoints then you are going to need to build point-point encrypted tunnels between these endpoints, this is the main reason that SD-WAN implementations use either a full-mesh or dynamic-mesh

Re: [I2nsf] [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

2017-09-07 Thread Linda Dunbar
For example, here is one vendor's implementation (I found on the web, if you equate the "Public Cloud Platform" to the public internet in a shopping mall). -Original Message- From: Michael Richardson [mailto:mcr+i...@sandelman.ca] Sent: Thursday, September 07, 2017 3:19 PM To: Linda

Re: [I2nsf] [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is.

2017-09-07 Thread Michael Richardson
Linda Dunbar wrote: > Today, many vendors’ remote CPEs support ONUG’s SD-WAN “Zero-touch > deployment” requirement, where the remote CPEs devices can be connected to > its controller via barcode scan/email/etc. Dunno. I googled for ONUG SD-WAN Zero-Touch,