SAD and SPD

[Jack Aubert <jaubert@cpcug.org>]

I am trying to research the current state of play with respect to
management of large VPNs using IPsec.

Imagine a very large VPN with many worldwide SG tunnel entry points using
IPsec -- say at least one per country...on the order of 200.  Also assume
that it is necessary to add, subtract, ore reconfigue any of these devices
from one point.  "One point" could literally mean one point, or (with
appropriate access control) from any one of the 200 points.  

Reading the current architecture draft, my impression is that the SAD will
carry information on SAs that a particular device (in this case a SG)
participates in, and  would probably be kept close to -- presumably on --
the SG itself.  The SPD, on the other hand, would aggregate and summarize
policies, and could be kept/coordinated more centrally queried by the
devices needing to set up an SA using LDAP.  

The participating devices would still need to authenticate themselves --
e.g. using either preloaded or aircraft-netted certificates and a CA -- but
with the SPD handled centrally,  management of the devices could be carried
out with a high degree of aggregation.  The SPD could consist of 200 rules
to allow SAs to be established all-to-all using a list of 200 diverse
registered IP addresses,  or even a single rule allowing SA establishment
within all of a registered class C subnet where each address is advertised
separately to the Internet from its remote location.  

Is this a correct reading of the current drafts, and does it seem to make
any sense?

---

Follow-Ups:

• Re: SAD and SPD
• From: "Scott G. Kelly" <skelly@redcreek.com>

---

• Prev by Date: Re: How do IKE peers synchronize public keys ?
• Next by Date: Re: SAD and SPD
• Prev by thread: I-D ACTION:draft-ietf-ipsec-intragkm-00.txt
• Next by thread: Re: SAD and SPD
• Index(es):
  • Main
  • Thread