Hello,
Who here on this list has deployed IPSec or other comparable lower layer
encryption in a large scale environment, or attempted to do so?
I've repeatedly heard claims that doing so is not feasible (either
operationally or financially), but I have not seen any specific studies,
reports, numbers or anything else to support this. Of course I haven't
seen anything proving the opposite, either, which is why I'm reaching
out here on this list.
What was your experience, and what alternatives have you considered? If
your findings were made longer than, say, 5 years ago, what might have
changed to change the results?
-Jan
Hi Jan,
Please define "large scale". Is that by number of endpoints, throughput, or some other metric? How big is big?
David Barak
Can you give us an idea of “large scale” in your mind? Also, site to site
deployments or remote access or both?
Paul
it's fair to believe that there are 'lots' of ipsec deployments where
there are ~1000 or so endpoints (network endpoints) connected in a
'vpn'. There are also certainly large volume ipsec deployments (I
recall an ipsec vpn problem at a former company for a single 400mbps
'flow' between endpoints, maybe david remembers this as well).
One might look at MS's documentation about deploying end-to-end ipsec
in their enterprise for one example of peer-to-peer ubiquitous ipsec.
it'd sure be helpful to have some dimensions to the OP's question though.
-chris
This is interesting and kind of what I'm looking for. Do you have a
pointer to this documentation?
My apologies for not having defined "large scale" in my original mail.
What I had in mind was, basically, environments ranging with multiple
datacenters (possibly across the globe) pushing tens of gb/s or more.
Though I suppose I'd also be interested in any other scale, both larger
and smaller. I'd be glad to collect any information you may want to
send me off-list and report back with a summary, if that's preferred.
-Jan
One might look at MS's documentation about deploying end-to-end ipsec
in their enterprise for one example of peer-to-peer ubiquitous ipsec.
This is interesting and kind of what I'm looking for. Do you have a
pointer to this documentation?
sadly I can't find what I once read 
damned webcrawler search!!!
My apologies for not having defined "large scale" in my original mail.
What I had in mind was, basically, environments ranging with multiple
datacenters (possibly across the globe) pushing tens of gb/s or more.
that's probably a different problem to solve, unless you wanted to
push the crypto down to the server/workstation level, which seems like
a more reasonable answer, for a number of reasons, provided you can do
key management and fault isolation.
One good reason to not do link encryption is: "the problem is that
whackadoodle box you put outside the router!" most often those
boxes can't do light-level monitoring, loopbacks, etc... all the stuff
your NOC wants to do when 'link flapped,doh!' happens.
-chris