The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2002-Aug> msg00084



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

Re: IPSEC in the MLPS core

  • From: <cros_m@tsm.es>
  • Date: Wed, 14 Aug 2002 17:48:17 +0200
  • Importance: Normal
  • Resent-Date: Wed, 14 Aug 2002 13:12:11 -0400
  • To: mpls-ops@mplsrc.com
  • X-MIME-Autoconverted: from quoted-printable to 8bit by host.secure4-hosting.net id g7EFmLT14738
  • X-MIMETrack: Serialize by Router on abantos/TSM(Release 5.0.9a |January 7, 2002) at 14/08/200217:48:20


There are two main reasons:

* We want to use Cisco Multi-VRF feature, that is no compatible with IPSEC
( http://www.cisco.com/warp/public/cc/pd/rt/2600/prodlit/1575_pp.htm :
Under investigation paragraph )

* In many cases we won't have a proper CE router, but the PE router will
have multiple Ethernet sub-interface (802.1Q) belonging to different VRF.

Miguel




14/08/2002 12:58
"alok" <alok.dube@apara.com>


Destinatarios:    <mpls-ops@mplsrc.com>
CC:
Asunto:     Re: [MPLS-OPS]: IPSEC in the MLPS core


why dont u originate the IPSEC tunnels at the CE....?



----- Original Message -----
From: CROS_M <CROS_M@teleline.es>
To: <mpls-ops@mplsrc.com>
Sent: Wednesday, August 14, 2002 3:45 PM
Subject: [MPLS-OPS]: IPSEC in the MLPS core


We are considering the option to segregate the internal IP network
in my company, with MPLS L3-VPN (RFC2547). Our customers would be the
different departments. Some of them, are concerned with confidentiality
issues and are asking for encryption of specific information flows
across the IP network.

¿ Is it possible to create IPSEC tunnels in the PE routers so that the
traffic in the MLPS Core goes encrypted ?

CE === PE ===== P ... P ====== PE ==== CE
        <---- IPSEC tunnel ---->
                 over
        <-MPLS labelled packet->

Only an small portion of the traffic would need to be encrypted. The
IPSEC would start and finish in the PE. The CE-PE connection would
transport the traffic in clear-text, but it is an assumed risk, because
in many cases it would be implemented throguh a local 802.1Q interface.
We need a kind of "IPSEC per VRF" functionality.

¿ Does anyone knows if the following drafts are being implemented by
the main vendors ?
http://www.ietf.org/internet-drafts/draft-ietf-ppvpn-ipsec-2547-01.txt
http://www.ietf.org/internet-drafts/draft-tsenevir-smpls-02.txt


Thanks

      Miguel




-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml



-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml




-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml