Mike Sullenberger (mls) writes: > As for scaling, we already have DMVPN networks of 10000+ nodes and > looking at building networks of 40000+ nodes. In many cases > customers have multiple subnets behind each node, therefore with > just IPsec I would need to have multiple SAs/encryption between the > same two nodes, even if you are only doing subnet to subnet SPDs.
Why do you need multiple SAs even if there is multiple subnets? IKEv2 allows you to create Child SAs covering multiple subnets in both ends, so you should be able to use just one Child SA as long as the number of subnets is less than few hundred... There is limit of 255 traffic selector per Child SA, but I would except that implementations might not support that high number, but tens of selectors should be ok. > Take the case of two nodes that each have 4 subnets. I could need as > many as 16 SAs to cover all cases. Or even a simpler case between a > host (1 local address) and a node at a data center (say 20 subnets), > I would need up to 20 SAs to cover this. In many of our networks we > are asked to support at least 5 (sometimes 10) subnets per spoke > location. All of those would require one Child SA in IKEv2. If talking about obsolete protocols from the historic times, then you might have needed multiple SAs.... > As far as IPv4 and IPv6 support, you are correct it would only double the > number of SAs needed, assuming that there are the same number of subnets for > IPv4 and IPv6. From what I have seen IPv6 tends to increase the number of > subnets. IPv4 and IPv6 traffic most likely do need separate SAs, as some implementations do things that way, i.e. if you offer both IPv4 and IPv6 addresses in the proposal the other end will narrow it down to include only IPv4 or IPv6 addresses (or it can accept the SA if it understand internally that even if there is both IPv4 and IPv6 address in traffic selector list, that does not mean you can have packets where source address is IPv4 and destination IPv6 :-) -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
