The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Re: IPSEC in the MLPS core
well he did say he has VLAn interfaces so maybe there is no CPe or its a LAN switch. either way no real CE to perform IPSec. Secondly if there is a physical CE router, it get horribly expensive to upgrade all the CE's if you have a load of them. Imagine have a network of 100-200 CE's...whammo...big upgrade bill... Then you have a load of support issues etc to deal with if Ce versikon xyz does not work with CE version 123.... Networks OP's nightmare... At the PE is the best place for VPN IPSec if the PE to CE link is Layer2 of some sort only and not shared between VPN subscribers... >From: "alok" <alok.dube@apara.com> >To: <mpls-ops@mplsrc.com> >Subject: Re: [MPLS-OPS]: IPSEC in the MLPS core >Date: Wed, 14 Aug 2002 16:28:17 +0530 > >why dont u originate the IPSEC tunnels at the CE....? > > > >----- Original Message ----- >From: CROS_M <CROS_M@teleline.es> >To: <mpls-ops@mplsrc.com> >Sent: Wednesday, August 14, 2002 3:45 PM >Subject: [MPLS-OPS]: IPSEC in the MLPS core > > >We are considering the option to segregate the internal IP network >in my company, with MPLS L3-VPN (RFC2547). Our customers would be the >different departments. Some of them, are concerned with confidentiality >issues and are asking for encryption of specific information flows >across the IP network. > >¿ Is it possible to create IPSEC tunnels in the PE routers so that the >traffic in the MLPS Core goes encrypted ? > >CE === PE ===== P ... P ====== PE ==== CE > <---- IPSEC tunnel ----> > over > <-MPLS labelled packet-> > >Only an small portion of the traffic would need to be encrypted. The >IPSEC would start and finish in the PE. The CE-PE connection would >transport the traffic in clear-text, but it is an assumed risk, because >in many cases it would be implemented throguh a local 802.1Q interface. >We need a kind of "IPSEC per VRF" functionality. > >¿ Does anyone knows if the following drafts are being implemented by >the main vendors ? >http://www.ietf.org/internet-drafts/draft-ietf-ppvpn-ipsec-2547-01.txt >http://www.ietf.org/internet-drafts/draft-tsenevir-smpls-02.txt > > >Thanks > > Miguel > > > > >------- >The MPLS-OPS Mailing List >Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > > >------- >The MPLS-OPS Mailing List >Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml |
|