[166608] in North American Network Operators' Group
Re: large scale ipsec
daemon@ATHENA.MIT.EDU (Scott Weeks)
Fri Nov 1 14:31:21 2013
Date: Fri, 1 Nov 2013 11:30:55 -0700
From: "Scott Weeks" <surfer@mauigateway.com>
To: <nanog@nanog.org>
Reply-To: surfer@mauigateway.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--- morrowc.lists@gmail.com wrote:
From: Christopher Morrow <morrowc.lists@gmail.com>
One good reason to not do link encryption is: "the problem is that
whackadoodle box you put outside the router!" :( most often those
boxes can't do light-level monitoring, loopbacks, etc... all the stuff
your NOC wants to do when 'link flapped,doh!' happens.
-----------------------------------------------------
Yes! It is really hard to work with those things for the reasons
you mention and they tend to be the culprit quite often. Also,
a lot of times it adds more finger pointing as there tends to be
a different group taking care of just the bulk encryptors. Last,
I have seen some strange behaviors, such as not passing BPDUs.
That makes VLANing *phun*. Not!
scott
