Frederic Detienne writes: > > Frederic Detienne writes: > >> And like I said earlier, the amount of negotiation when there are > >> multiple prefixes to protect is limited to one. With "modern ipsec > >> tunneling" (got to love that), there is still a lot of negotiation > >> going on. > > > > I do not understand what you are trying to say there. > > even with "modern ipsec tunneling", one selector has to be > negotiated for each pair of prefixes to protect. This can amount to > a lot of selectors to negotiate in practice.
Not for each pairs of prefixes, but for one selector for each subnet in total. I.e. if one end has 10 subnets and another has 100, then you need 10 initiator traffic selectors and 100 responder traffic selectors. > > >> We are talking about potentially hundreds of subnets behind a branch > >> here. > > > > Really? There must be something really, really wrong in their > > IP-address allocation in that case. Usually the one branch has only > > few subnets as it would make adminstration really hard if you put > > hundreds of separate subnets in the same branch office. > > Really and there is nothing wrong. > > It is your view that these are "branch offices". A spoke is only a > branch from a topology standpoint but the actual spoke device may > protect a very large networks at very high throughput. Then I have completely misunderstood what this work is about. I had understood we are doing mesh setup, where everybody may connect to anybody, i.e. traffic goes directly from one node to another node, not through other nodes, i.e. no branches and routers on the way, but only direct connection between two peers. BTW, if there is really going to be hundreds of subnets, then we do need to use multiple SAs as Number of TSs is only 8-bit field, so there can be only 255 traffic selects per peer... -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
