nanog mailing list archives
Re: large scale ipsec
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Fri, 1 Nov 2013 14:11:54 -0400
On Fri, Nov 1, 2013 at 1:06 PM, Jan Schaumann <jschauma () netmeister org> wrote:
Christopher Morrow <morrowc.lists () gmail com> wrote:One might look at MS's documentation about deploying end-to-end ipsec in their enterprise for one example of peer-to-peer ubiquitous ipsec.This is interesting and kind of what I'm looking for. Do you have a pointer to this documentation?
sadly I can't find what I once read :( damned webcrawler search!!!
My apologies for not having defined "large scale" in my original mail. What I had in mind was, basically, environments ranging with multiple datacenters (possibly across the globe) pushing tens of gb/s or more.
that's probably a different problem to solve, unless you wanted to push the crypto down to the server/workstation level, which seems like a more reasonable answer, for a number of reasons, provided you can do key management and fault isolation. One good reason to not do link encryption is: "the problem is that whackadoodle box you put outside the router!" :( most often those boxes can't do light-level monitoring, loopbacks, etc... all the stuff your NOC wants to do when 'link flapped,doh!' happens. -chris
Current thread:
- large scale ipsec Jan Schaumann (Nov 01)
- Re: large scale ipsec Paul Stewart (Nov 01)
- Re: large scale ipsec David Barak (Nov 01)
- Re: large scale ipsec Christopher Morrow (Nov 01)
- Re: large scale ipsec Jan Schaumann (Nov 01)
- Re: large scale ipsec Christopher Morrow (Nov 01)
- Re: large scale ipsec Christopher Morrow (Nov 01)
- <Possible follow-ups>
- Re: large scale ipsec Scott Weeks (Nov 01)