Hello, Who here on this list has deployed IPSec or other comparable lower layer encryption in a large scale environment, or attempted to do so? I've repeatedly heard claims that doing so is not feasible (either operationally or financially), but I have not seen any specific studies, reports, numbers or anything else to support this. Of course I haven't seen anything proving the opposite, either, which is why I'm reaching out here on this list. What was your experience, and what alternatives have you considered? If your findings were made longer than, say, 5 years ago, what might have changed to change the results? -Jan
Hi Jan, Please define "large scale". Is that by number of endpoints, throughput, or some other metric? How big is big? David Barak
On Fri, Nov 1, 2013 at 10:30 AM, David Barak <thegameiam@yahoo.com> wrote:
Hi Jan,
Please define "large scale". Is that by number of endpoints, throughput, or some other metric? How big is big?
it's fair to believe that there are 'lots' of ipsec deployments where there are ~1000 or so endpoints (network endpoints) connected in a 'vpn'. There are also certainly large volume ipsec deployments (I recall an ipsec vpn problem at a former company for a single 400mbps 'flow' between endpoints, maybe david remembers this as well). One might look at MS's documentation about deploying end-to-end ipsec in their enterprise for one example of peer-to-peer ubiquitous ipsec. it'd sure be helpful to have some dimensions to the OP's question though. -chris
Christopher Morrow <morrowc.lists@gmail.com> wrote:
One might look at MS's documentation about deploying end-to-end ipsec in their enterprise for one example of peer-to-peer ubiquitous ipsec.
This is interesting and kind of what I'm looking for. Do you have a pointer to this documentation? My apologies for not having defined "large scale" in my original mail. What I had in mind was, basically, environments ranging with multiple datacenters (possibly across the globe) pushing tens of gb/s or more. Though I suppose I'd also be interested in any other scale, both larger and smaller. I'd be glad to collect any information you may want to send me off-list and report back with a summary, if that's preferred. -Jan
On Fri, Nov 1, 2013 at 1:06 PM, Jan Schaumann <jschauma@netmeister.org> wrote:
Christopher Morrow <morrowc.lists@gmail.com> wrote:
One might look at MS's documentation about deploying end-to-end ipsec in their enterprise for one example of peer-to-peer ubiquitous ipsec.
This is interesting and kind of what I'm looking for. Do you have a pointer to this documentation?
sadly I can't find what I once read :( damned webcrawler search!!!
My apologies for not having defined "large scale" in my original mail. What I had in mind was, basically, environments ranging with multiple datacenters (possibly across the globe) pushing tens of gb/s or more.
that's probably a different problem to solve, unless you wanted to push the crypto down to the server/workstation level, which seems like a more reasonable answer, for a number of reasons, provided you can do key management and fault isolation. One good reason to not do link encryption is: "the problem is that whackadoodle box you put outside the router!" :( most often those boxes can't do light-level monitoring, loopbacks, etc... all the stuff your NOC wants to do when 'link flapped,doh!' happens. -chris
Can you give us an idea of “large scale” in your mind? Also, site to site deployments or remote access or both? Paul On 11/1/2013, 9:38 AM, "Jan Schaumann" <jschauma@netmeister.org> wrote:
Hello,
Who here on this list has deployed IPSec or other comparable lower layer encryption in a large scale environment, or attempted to do so?
I've repeatedly heard claims that doing so is not feasible (either operationally or financially), but I have not seen any specific studies, reports, numbers or anything else to support this. Of course I haven't seen anything proving the opposite, either, which is why I'm reaching out here on this list.
What was your experience, and what alternatives have you considered? If your findings were made longer than, say, 5 years ago, what might have changed to change the results?
-Jan
participants (4)
-
Christopher Morrow
-
David Barak
-
Jan Schaumann
-
Paul Stewart