Comments on draft-cuervo-ipsp-arch-00.txt

[Matthew Condell <mcondell@xxxxxxx>]

Abdallah,

> I would appreciate that if anyone has any comments on the current draft,
> ietf-cuervo-ipsp-arch-00.tx, that they send them to me soon as I am
> planing on revising the draft in the next few weeks.

1) My biggest concern with the architecture you propose is that
   I don't believe that it will work appropriately with the full
   breadth of policies that may be expressed.

   For example, looking at the direct domain signalling mode diagram
   in the draft:

   A) How does PS-A and PS-B negotiate a policy to allow communication
      between Domain A and Domain C before PS-A and PS-C have negotiated
      what the communication will look like?  (e.g. will it look like an
      http connection or will it be an ESP tunnelled message?  I don't
      think you can know that until after PS-A and PS-C have finished
      their negotiation)

   B) Let's assume there is a Domain A' that is a subdomain of Domain A,
      The policies for A' require an SA between the gateway for A' and the 
      gateway for C, policies for A require an SA between the gateway for 
      A and the gateway for C and the end host in C requires an SA between
      it and a host in A' (the host in A' is ammenable to using Host C's
      security association, but doesn't require one to be used).  

      How would the policies for these associations get distributed 
      appropriately?

2) Unless I missed it, the draft does not talk about gateway discovery.
   I think this is a very important

I have several other smaller concerns, but are not worth discussing
until these high level concerns are addressed.

Matt