Hi Stephen,
On 05 Nov 2013, at 23:21, Stephen Kent <k...@bbn.com> wrote:
>
>> As for scaling, we already have DMVPN networks of 10000+ nodes and looking
>> at building networks of 40000+ nodes.
>> In many cases customers have multiple subnets behind each node, therefore
>> with just IPsec I would need to have multiple SAs/encryption between the
>> same two nodes, even if you are only doing subnet to subnet SPDs. Take the
>> case of two nodes that each have 4 subnets. I could need as many as 16 SAs
>> to cover all cases. Or even a simpler case between a host (1 local address)
>> and a node at a data center (say 20 subnets), I would need up to 20 SAs to
>> cover this. In many of our networks we are asked to support at least 5
>> (sometimes 10) subnets per spoke location.
> That's a helpful clarification. It does not appear to be the sort of
> environment that initially seemed to be the focus of this work, e.g., road
> warriors calling home or home/satellite offices for a moderate size
> enterprise.
In fact, there are multiple environments in play. From simple networks to
complex network. The DMVPN proposal addresses both.
regards,
fred
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
