Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

Tue, 15 Nov 2011 15:43:11 -0800 

On Tue, 15 Nov 2011, Praveen Sathyanarayan wrote:


Couple of clarification here. Juniper implementation of AC-VPN does not do
GRE over IPSec. It is IPSec alone for implementation (Route based VPN).
Yes, AC-VPN uses NHRP to do resolution just like DM-VPN. But in AC-VPN
there are proprietary messages. It uses standard messages, but has many
proprietary payloads. We believe NHRP is *necessary* but not *sufficient*.
Also the way Hub download PAD/SPD to spokes (so that they can talk to each
other directly) is not standard.

We believe, there is a requirement for standard so that we can interop
with other vendors.


Please, so we can kill off nonsense like this:

https://gsoc.xelerance.com/projects/openswan/wiki/Juniper_NAT-IPsec_hack_workaround

Whoever designed an IPsec system that violates its own negotiated policies was
on something very illegal.

Paul


-- Praveen



On 11/15/11 7:26 AM, "Yoav Nir" <y...@checkpoint.com> wrote:


On Nov 15, 2011, at 10:52 PM, Michael Richardson wrote:




"Mark" == Mark Boltz <mark.bo...@stonesoft.com> writes:

   Mark> With all due respect to Cisco, the larger problem we're trying
   Mark> to address, is in part the fact that DMVPN and ACVPN are
   Mark> vendor specific implementations. And the goal of the
   Mark> implementation we're seeking is *large scale* P2P VPNs.

Assume that they are available on a wide variety of platforms, what is
broken in the technology?


I don't know, but I've been told
that ACVPN and DMVPN both rely on NHRP and GRE tunnels. I have also heard
(and please someone correct me if I'm wrong) that they don't interoperate.
So the tools are apparently not enough.


   Mark> Picture a hypothetical where a larger interest desires an
   Mark> IPsec VPN, in, say the airline industry. We're talking about
   Mark> several thousand aircraft from several manufacturers. All in

We've been through all of this 15 years ago with AIAG's ANX.


You really want to tout that experience as a success story?

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to