[166607] in North American Network Operators' Group
Re: large scale ipsec
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Fri Nov 1 14:15:02 2013
In-Reply-To: <20131101170644.GA17350@netmeister.org>
Date: Fri, 1 Nov 2013 14:11:54 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Nov 1, 2013 at 1:06 PM, Jan Schaumann <jschauma@netmeister.org> wrote:
> Christopher Morrow <morrowc.lists@gmail.com> wrote:
>
>> One might look at MS's documentation about deploying end-to-end ipsec
>> in their enterprise for one example of peer-to-peer ubiquitous ipsec.
>
> This is interesting and kind of what I'm looking for. Do you have a
> pointer to this documentation?
sadly I can't find what I once read :( damned webcrawler search!!!
> My apologies for not having defined "large scale" in my original mail.
> What I had in mind was, basically, environments ranging with multiple
> datacenters (possibly across the globe) pushing tens of gb/s or more.
that's probably a different problem to solve, unless you wanted to
push the crypto down to the server/workstation level, which seems like
a more reasonable answer, for a number of reasons, provided you can do
key management and fault isolation.
One good reason to not do link encryption is: "the problem is that
whackadoodle box you put outside the router!" :( most often those
boxes can't do light-level monitoring, loopbacks, etc... all the stuff
your NOC wants to do when 'link flapped,doh!' happens.
-chris
