You could only give each entity only the things it needs (like for the facility, it’s private key and the public keys that can connect, and for the xdc’s, their private key and the public key of the facility).
I think the main thing then that you don’t protect against if that if someone has access to the facility private key (so an admin, and the facility operator?) and redirects the DNS record, you could get an XDC to connect to your “fake network” instead of the actual one?
I understand of course that you’d only give the keys to the entities that need them. It’s just the general principle of minimizing exposure to private keys. I don’t know how people would exploit them and that’s the point. At the very least if they were compromised anyone could access materializations.
Just route traffic that is for external xp net links over vxlans on that cable? Not saying it’s a good idea but it is possible, isn’t it?
Under current system, you’d still have the same issue though with exposed XDCs. And you could delete the private keys after you send them too.
No, because the whole thing needs to be on xpnet. If you have a three LAN with two nodes in one facility and the other one in another facility, you need to construct the two locally and the third externally over xpnet and due to the lack of physical connections, you can’t mix between infranet and xpnet.
Partial links over infranet will be very very complicated.
For SSH keys, yes - this was a specific decision as users kept not getting SSH configuration. I do not think XDC users can access the WG keys though.
Deleting the keys after makes sense. but doesn’t just creating them in place make more sense?