[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: Request for review of IKEv2/IPsec failover solution draft
In your previous mail you wrote:
And last, your experience may be different, but I have yet to see an service
provider purchase boxes from two different vendors for *security* reasons. I
think in real-life, the gateways are likely to be all from the same vendor,
and what we need is client-gateway interoperability.
=> my experience is different but I know some service provider purchase boxes
from at least two different vendors for security reasons: the idea is to get
the service still provided even a bug, including a security flaw, crashs
all the boxes from one vendor. And this even it is not so easy: different
management systems, learning of different environments for critical man-
power, interoperability labs, etc.
PS: to agree about a key in a small group is not a hard crypto problem
(i.e., there are known and improved algorithms to do that).
A pure client-gateway proposal is a solution for the suspend/resume problem,
not any kind of failover problem.