Hi Stephen,
On 05 Nov 2013, at 23:21, Stephen Kent <k...@bbn.com> wrote: > >> As for scaling, we already have DMVPN networks of 10000+ nodes and looking >> at building networks of 40000+ nodes. >> In many cases customers have multiple subnets behind each node, therefore >> with just IPsec I would need to have multiple SAs/encryption between the >> same two nodes, even if you are only doing subnet to subnet SPDs. Take the >> case of two nodes that each have 4 subnets. I could need as many as 16 SAs >> to cover all cases. Or even a simpler case between a host (1 local address) >> and a node at a data center (say 20 subnets), I would need up to 20 SAs to >> cover this. In many of our networks we are asked to support at least 5 >> (sometimes 10) subnets per spoke location. > That's a helpful clarification. It does not appear to be the sort of > environment that initially seemed to be the focus of this work, e.g., road > warriors calling home or home/satellite offices for a moderate size > enterprise. In fact, there are multiple environments in play. From simple networks to complex network. The DMVPN proposal addresses both. regards, fred _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec