On 15 Nov 2011, at 23:03, Michael Richardson wrote:
[...]
> So, you trade IPsec SAs ("security ACLs") for extended access-lists and
> routing tables. I don't see a difference if both are automatically
> updated by a policy engine.
>
> I can see that this might matter for devices with fixed purpose ASICs
> that accelerate one kind of access list, but not another..
The net effect is the number of negotiations is greatly reduced when there are
many prefixes in play.
[...]
> I'm curious if you've worked with any other vendor's IPsec?
> Because the issues you describe seem to be implementation limitations.
we actually do have both types of implementations. In practice, we find IPsec +
tunneling largely superior. Less negotiations, easier to troubleshoot and scale.
The peer discovery issue is really is an overlay / transport (network
virtualization) problem that is well solved outside of IPsec and tunnels just
made sense.
thanks,
fred
> Still, I think that NHRP over GRE is a pretty good solution to the
> problem, particularily if in the end, you didn't want to actually have
> any ACLs on the resulting tunnels.
>
> --
> ] He who is tired of Weird Al is tired of life! | firewalls
> [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net
> architect[
> ] [email protected] http://www.sandelman.ottawa.on.ca/ |device
> driver[
> Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
> then sign the petition.
>
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
