--- Begin Message ---
Hello,
Ok , when saying "not stateful in any meaningful way" I believe You
meant data plane encryption/decryption only - barebone IPSec without IKE
exchange and without anti-replay, or do You?
And JUNOS BFD variant (c) requires "anchor PFE" - actually not the PFE
as "forwarding chip" but "PFE" as short way of saying "linecard CPU that
runs PPMD" which processes BFD packets from all linecards.
Thanks
Alex
------ Original Message ------
From: "Saku Ytti" <s...@ytti.fi>
To: "Alexander Arseniev" <arsen...@btinternet.com>
Cc: "Juniper List" <juniper-nsp@puck.nether.net>
Sent: 05/03/2020 16:29:57
Subject: Re: Re[2]: [j-nsp] MX960 vs MX10K
On Thu, 5 Mar 2020 at 18:05, Alexander Arseniev <arsen...@btinternet.com> wrote:
I would expect the "IPSEC anchor PFE", just like it is done with BFD et
al a.t.m.
That anchor PFE maintains IKE exchange sequences/anti-replay etc and any
IKE/IPSec packet arriving on a different PFE would be redirected there.
Same thing really what currently happens on a Services card.
I'm not sure what you mean by BFD here. BFD can be done in various ways
a) RPD
b) PPMd on RE CPU
c) PPMd on LC CPU
d) Inline on NPU
If you do it on d) it's done the NPU where the neighbour is, entirely
on the NPU.
And sure there is signalling in IPSEC, just like there is in BGP,
which is not done in hardware. But actual bit pushing is done in
hardware.
--
++ytti
--- End Message ---
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
