Dear all, My name is Patrick and I am working as a system architect. One of my current jobs is to build a vpn architecture that keeps the manual configuration efforts as low as possible and as simple as possible. I have tested and played around with a range of vpn solutions and would like to share my personal opinion to this mailing list.
My preference is on draft-detienne-dmvpn-00. Because of dmvpn is: - is allowing to add 'spokes' without configuration changes on the 'hub' devices (8.1 dmvpn draft) For me, this is an important point. Changing the configuration on the hub routers, everytime a spoke is added to the network, would make the rollout process to complex and is a possible source of failures. - scales with multiple 'hubs' linearly Also an important point. For me, it is essential to scale out the platform when the amount of spokes is increasing. So I am able to start with a size of the platform that fits my needs, but I am able to raise the amount of spokes without changing the whole design. - uses routing protocols for redundancy and path manipulations (8.3 dmvpn draft) Using routing protocols or the interaction with routing protocols gives me the possibility for a tighter integration in existing networks. I am also able to use existing technologies for redundancy and path manipulations. Based on the theories (advpn draft and dmvpn) and real world experience (dmvpn), I would favor dmvpn, because the handling and operating sounds less complex. (eg. lower amount of steps in tunnel initiation, single logical interface for tunnel termination etc.) Additional points out of my perspective, dmvpn: - has an installed basis - is scalable up to 15.000 spokes (tested by my own) - interoperates with the existing infrastructure due to use of dynamic routing protocols (tested by my own) - interoperates with load balancers of multiple vendors (tested by my own) (linearly hub scale out szenario) Maybe these points are fulfilled by the advpn draft as well, but I have no personal experience. Glossary: dmvpn - http://tools.ietf.org/html/draft-detienne-dmvpn-01 advpn - http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03 Best Regards, Patrick Volkswagen Financial Services AG Sitz/Registered seat: Braunschweig Registergericht/Registration court: Amtsgericht Braunschweig HRB Nr./Commercial Register No.: 3790 Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Hans Dieter Pötsch Vorstand/Board of Management: Frank Witter (Vorsitzender/Chairman), Dr. Mario Daberkow, Frank Fiedler, Christiane Hesse, Dr. Michael Reinhart, Lars-Henner Santelmann Wichtiger Hinweis: Die vorgenannten Angaben werden jeder E-Mail automatisch hinzugefügt und lassen keine Rückschlüsse auf den Rechtscharakter der E-Mail zu. Important note: The above information is automatically added to this e-mail. This addition does not constitute a representation that the content of this e-mail is legally relevant and/or is intended to be legally binding upon Volkswagen Financial Services AG.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
