The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2002-Aug> msg00088



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

Re: IPSEC in the MLPS core

  • From: "NOC Ops" <theguber@hotmail.com>
  • Date: Wed, 14 Aug 2002 16:53:35 +0000
  • Resent-Date: Wed, 14 Aug 2002 14:22:06 -0400
  • To: CROS_M@teleline.es, mpls-ops@mplsrc.com
  • X-OriginalArrivalTime: 14 Aug 2002 16:53:35.0512 (UTC) FILETIME=[2134F180:01C243B3]
  • X-Originating-IP: [202.156.2.58]

If you are looking for new PE's I would say without a doubt that Cosine has 
the best hybrid MPLS+IPSec implementation. Highly scalable, very flexible 
and good latency and throughput. Fully supports Cisco CE and Cisco P routers 
still...

However entry price is an issue and I guess youneed quite a few VPN's before 
it becomes cost effective..

Basically you need to state:

How many PE sites
How many CE sites per PE
How many CE per PE per VPN
Whats your Access Bandwidth per CE average
Whats your backbone bandwidth PE to PE

Can email me offline if you like and can give you an idea. Just be acreful 
on the ..."Oh why don't you just upgrade your Cisco's"...story....can get 
expensive if you network is big enough and complicated enough.

>From: CROS_M <CROS_M@teleline.es>
>To: mpls-ops@mplsrc.com
>Subject: [MPLS-OPS]: IPSEC in the MLPS core
>Date: Wed, 14 Aug 2002 12:15:53 +0200
>
>We are considering the option to segregate the internal IP network
>in my company, with MPLS L3-VPN (RFC2547). Our customers would be the
>different departments. Some of them, are concerned with confidentiality
>issues and are asking for encryption of specific information flows
>across the IP network.
>
>¿ Is it possible to create IPSEC tunnels in the PE routers so that the
>traffic in the MLPS Core goes encrypted ?
>
>CE === PE ===== P ... P ====== PE ==== CE
>         <---- IPSEC tunnel ---->
>                  over
>         <-MPLS labelled packet->
>
>Only an small portion of the traffic would need to be encrypted. The
>IPSEC would start and finish in the PE. The CE-PE connection would
>transport the traffic in clear-text, but it is an assumed risk, because
>in many cases it would be implemented throguh a local 802.1Q interface.
>We need a kind of "IPSEC per VRF" functionality.
>
>¿ Does anyone knows if the following drafts are being implemented by
>the main vendors ?
>http://www.ietf.org/internet-drafts/draft-ietf-ppvpn-ipsec-2547-01.txt
>http://www.ietf.org/internet-drafts/draft-tsenevir-smpls-02.txt
>
>
>Thanks
>
>       Miguel
>
>
>
>
>-------
>The MPLS-OPS Mailing List
>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml