On 16 Nov 2011, at 13:48, Tero Kivinen wrote: > Frederic Detienne writes: >> And like I said earlier, the amount of negotiation when there are >> multiple prefixes to protect is limited to one. With "modern ipsec >> tunneling" (got to love that), there is still a lot of negotiation >> going on. > > I do not understand what you are trying to say there.
even with "modern ipsec tunneling", one selector has to be negotiated for each pair of prefixes to protect. This can amount to a lot of selectors to negotiate in practice. >> We are talking about potentially hundreds of subnets behind a branch >> here. > > Really? There must be something really, really wrong in their > IP-address allocation in that case. Usually the one branch has only > few subnets as it would make adminstration really hard if you put > hundreds of separate subnets in the same branch office. Really and there is nothing wrong. It is your view that these are "branch offices". A spoke is only a branch from a topology standpoint but the actual spoke device may protect a very large networks at very high throughput. > -- > kivi...@iki.fi > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
