The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] VPN solution - White flag ?
> If the customer usees IPSec, they they have to manage the VPN themselves, bzzzt! next contestant. > as well as needing to approximate something close to N^2 connections. no. though as many security associations as vpns need to be created. of course, as 2547 has no securith, there is no such problem there. of course, being security conscious when selling a vpn, i don't see that as a benefit. > If the (I)SP sells VPN service, then the customer has offloaded the work > onto the ISP. indeed. > There's a few ways you can give private-network solutions to an > enterprise. The ones I can think of are: > 1) dedicated line (ATM/FR/Leased Line) > 2) IPSec sessions over Internet connectivity > 3) MPLS VPN yup. except i worry about the privacy in 1 and 3. but they can run ipsec over l2 or over the l2.5 tunnel. > With #1, the customer can't do full-mesh, becuase with a large enough > number of sites, full-mesh is just too expensive and too much to > manage. agreed. but many customers have the layer 2 solution today and want to convert. kompella's solution looks tasty, but i want to see more about how to provision it. > Plus Internet connectivity is not inherent in the mechanism you use to > build your VPN, so has to be managed on top of that. isps think of it as overlaying managed ipsec services on top of internet connectivity. > With #2, the customer has to manage the IPSec sessions. not any more than they do for 2547. the isp can maintain the cpe, the tunnel can originate on the isp's router a la 2547, or one can use one of the ipsec aggregation boxes. > Sure, you could manage the CPE, but then *you* have to manage the IPSec > sessions. as i have to manage the lsps. no biger deal. except with ipsec there is no weight in the middle of my network. internet architecture 101, unlike the phone network, the internet is a stupid middle with smart edges. > And full-mesh is still a problem with many (hundreds to thousands) of > sites, so you have to have hub and spoke again. not at all. it's all in the provisioning tools. > With #3, the customer has nothing to manage. And the provider has to > manage a technology whose main scalability concern is BGP. it violates a basic architectural principal. bgp is the first bad consequence we see. i am far from sanguine it will be the only one. > So yes, you have to do more work and buy more routers. thanks anyway. > So customers give you money to provide a VPN service. You give some of > this money to your vendor of choice, give some to your infrastructure > buildout, and keep the rest. :) or give them security and vpns, and keep all the cash (or charge less). plus i have some hope of my network continuing to scale. and scaling is what the internet is about. randy
|
|