The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] RE: IPSec and MPLS
AZIZ Thanx for you time , I never did see the anserws to the following questions. The issue of IPSEC degradeing performance is a well documented fact. Can you help us with a less gelationous anserw Will - Is IPsec really scalable in VPN's with 100-200 sites? - As a consequence of using IPSec in an MPLS network, can I still offer CoS or are there any restrictions? (queuing,traffic classification, DSCP in IPSec header) - How is key management solved if encryption happens on a managed CE and key management has to be done by the customer? - Is IPSec on the CE the right solution or is a two box strategy the better option? (e.g. clear interface between provider and customer) - Are there any better solutions for encryption over an MPLS network? -----Original Message----- From: Islam, Aziz [mailto:aziz.islam@eds.com] Sent: Tuesday, February 19, 2002 3:03 PM To: alfred.denzler@netsurfer.ch; mpls-ops@mplsrc.com Subject: RE: IPSec and MPLS Hi Fredi, I don't really think that it is "pointless to use IPSec in combination with MPLS". For situations where you don't trust the MPLS core (after having done a thorough risk analysis of the data you may want to protect) it may make more sense to use IPSec in combination with MPLS. It all depends on whether you trust your provider's core and what are the associated risks. IPSec definitely has its overhead and depending on the routing engine and whether you are using any hardware encryption modules, the performance impact will be different. It all depends..... Aziz S. Islam Sr.Infrastructure Splst.- CCIE(R/S) EDS-Design Engineering 33 Yonge Street; Suite 400 Toronto, Ontario M5E 1G4 CANADA phone: (416)814-1696 pager: (416)517-4985 mailto:aziz.islam@eds.com http://www.eds.com -----Original Message----- From: Alfred Denzler [mailto:alfred.denzler@netsurfer.ch] Sent: February 19, 2002 2:18 PM To: mpls-ops@mplsrc.com Subject: IPSec and MPLS Hi there, I'm planning to introduce an IP encrytion service on our MPLS network, and would like to here your opinion of how IPSec and MPLS are matching. They are both used to build VPN's over a public network and it seems pointless to use them in combination! Except when we want to encrypt VPN traffic over an MPLS network. I have a few specific questions which I believe are worth thinking about.(We are using hardware from THE vendor) - What is the impact on performance when turning on IPSec on a CE? (not directly related to MPLS) - Is IPsec really scalabel in VPN's with 100-200 sites? - As a consequence of using IPSec in an MPLS network, can I still offer CoS or are there any restrictions? (queuing,traffic classification, DSCP in IPSec header) - How is key management solved if encryption happens on a managed CE and key management has to be done by the customer? - Is IPSec on the CE the right solution or is a two box strategy the better option? (e.g. clear interface between provider and customer) - Are there any better solutions for encryption over an MPLS network? Thanks a million for your answers! Fredi ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml |
|