Toerless Eckert <[email protected]> wrote: >> The people in the line behind me did not agree.
> Hmm... Don't remember if anyone else stated that there can be one one
> keypair. As i said in the other mail, both a single and a douple
> keypair solution are possible to build, i just think it would be nicer
It's not about keypair, it's about what IPsec would call the SPD, which is a
way to select which traffic goes into which tunnel. I would also have
expected it to be able to select based upon VLAN tag and destination ethernet
type, but people said that wasn't so.
I would love to be told I'm wrong.
I can see if one was building the minimum viable solution that can deal with
state-level attackers on point to point fiber runs, that just encrypting
everything works well.
> if ACP can be separately encrypted from data-plane, but as long as ACP
> is responsible to manage the encryption key, it can equally encrypt
> both ACP and data-plane. Its just that right now, ACP is not optimized
> for fast reconvergence, so a data-plane could converge faster and then
> it might still need to wait for ACP. But thats solely a matter of
> routing protocol and aliveness parameters of ACP/data-plane.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
