Differences in security concepts between consul and nomad


I understand nomad and consul are very different products. Nevertheless both of them are consensus systems with clients and servers. Because of that I guess similar security measures applies to cluster authorization and communication between agents.

Can someone give me reason why consul needs ACL node identity while nomad does not? It seems that per node tokens complicates securing cluster in consul. The same difference applies to TLS encryption.

The only hint I can found is from nomad TLS encryption tutorial.

TLS certificates commonly use the fully-qualified domain name of the system being identified as the certificate’s Common Name (CN). However, hosts (and therefore hostnames and IPs) are often ephemeral in Nomad clusters. Not only would signing a new certificate per Nomad node be difficult, but using a hostname provides no security or functional benefits to Nomad.

From this I could guess nomad assumes it agents are ephemeral so it is too complicated to issue per node TLS certificates. Am I right? Does the same applies to tokens? If so I reason then there is assumption consul agents are persistent?