[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC tunnels for LAN-to-LAN interop issue

To: Sudeep_Khuraijam@3com.com
Subject: Re: IPSEC tunnels for LAN-to-LAN interop issue
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Wed, 01 Sep 1999 11:34:54 -0700
cc: Stephen Kent <kent@po1.bbn.com>, "Waters, Stephen" <Stephen.Waters@cabletron.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Wed, 01 Sep 1999 02:43:31 PDT." <882567DF.00357089.00@hqoutbound.ops.3com.com>
Sender: owner-ipsec@lists.tislabs.com

  Fully mesh thousands of sites? That's going to be a problem with IPSec
by itself unless you also have some automagic tunnel endpoint discovery 
mechanism. So I don't think that, in and of itself, is a valid reason to 
not use BGP. You'd hit a scaling wall either way (and administration of
1000 fully meshed GRE tunnels is not trivial).

  Redistribution of BGP routes into a "true IGP" is something that is done 
everyday throughout the world so that too I don't see as a problem.

  I guess it comes down to administration. Eliminating the need to
administer a tunnel interface whose sole purpose is to tunnel routing
protocols seems like a win. One less thing to worry about. And it eliminates
the security issues that Steve K was talking about too. Win-win.

  Dan.

On Wed, 01 Sep 1999 02:43:31 PDT you wrote
> 
> 
> Dan,
> 
>  Dan> So let me ask again, what is the problem with BGP?
> 
> Granted BGP is one way to get reachability information in this context, I do 
>not
> aggree that it is the right tool.
> IBGP is meant for other purposes than being an IGP.  Besides having to mainta
>in
> TCP connections with the peers
> (which could be a problem if you want to fully mesh thousands of sites - and
> you'd want a route reflector),
> you might actually want to redistribute BGP routes to the true IGP in most
> environments where the IGP is incumbent.
> Also you have increased the layers of route convergence.  Administratively BG
>P
> adds another task.
> Now you have to administer the BGP policies on the peers such that the prefix
>es
> are announced and so far we are
> dealing with just one remote SGW.  Imagine thousands of such remote sites.  I
> believe what routing protocols are used should
> strictly be an administrative decision which was implied in this thread.
> 
> Dan> BGP is a _much_ simpler protocol
> 
> Perhaps in implementation.  Not in deployment when the network is large.
> I absolutely like BGP but in this context using BGP just to get intranet
> reachability information
> would be like watering plants with a BobCat:-).
> 
> /sudeep
> 
> 
> 
>

References:

Re: IPSEC tunnels for LAN-to-LAN interop issue

From: Sudeep_Khuraijam@3com.com

Prev by Date: IPsec-based user authentication and security policy in Mobile IP?
Next by Date: Tools for testing IPsec
Prev by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
Index(es):
- Main
- Thread