RE: (IPSec alternatives)

From: Peter van Oene (pvo@usermail.com)
Date: Thu Jun 12 2003 - 10:24:12 GMT-3

On Thu, 2003-06-12 at 12:57, Truman, Michelle, RTSLS wrote:
> The only thing that protects you from the provider is dark fiber and
> private line. Beyond that, you are on a partitioned network. Many
> thousands of folks have been comfortable with frame and atm. VRF is no
> different. You have vulnerability in the provisioning process, so you
> better be with a carrier who has systems designed to scale provisioning
> and safeguards for provisioning errors.

The same folks who aren't confortable with VRFs are the folks that
aren't comfortable with frame/atm or any other shared facilities. A
number of financial instititions fit this category.

I would furthermore suggest that L3VPNs, being point to multipoint with
autodiscovery enabled (ie 2547bis based) are slightly more vulnerable
than a point to point based system like frame/atm. I can easily add a
site to an L3VPN without much, if any, interaction at the CE level. This
is not quite as transparent in point to point technologies.

>
>
>
> Michelle Truman CCIE # 8098
> Principal Technical Consultant
> AT&T Solutions Center
> mailto:mtruman@att.com
> Work: 651-998-0949
>
>
>
>
>
> -----Original Message-----
> From: Peter van Oene [mailto:pvo@usermail.com]
> Sent: Thursday, June 12, 2003 9:31 AM
> To: 'ccielab@groupstudy.com'
> Subject: RE: (IPSec alternatives)
>
>
> At 08:33 AM 6/12/2003 +0100, McCallum, Robert wrote:
> >why use IPSEC dont you trust MPLS vrfs?
>
> VRFs do not protect you from the provider, or any intermediary providers
> in
> a carrier of carrier networks. I imagine some folks might be
> uncomfortable
> with this.
>
> Pete
>
>
> > > -----Original Message-----
> > > From: Howard C. Berkowitz [mailto:hcb@gettcomm.com]
> > > Sent: 11 June 2003 23:06
> > > To: 'ccielab@groupstudy.com'
> > > Subject: Re: (IPSec alternatives)
> > >
> > >
> > > At 8:57 PM +0100 6/11/03, R&S Groupstudy wrote:
> > > >Hi,
> > > >
> > > >Please can I hear peoples views on the following:
> > > >
> > > >I want to connect three sites together via the internet. (I
> > > just made this
> > > >up)
> > >
> > > Before going farther, you need to a bit more defining of the problem
> > > you want to solve, as well as the technology. I think of VPDN as
> > > virtual private dial network, so where is the dialing if you are
> > > running over the Internet? To the ISP?
> > >
> > > Are there other kinds of data not requiring security that need to go
> > > over the same tunnels, which would be a reason for GRE?
> > >
> > > Where is the IPSec encryption taking place? Hosts? Your
> > > gateways? ISP gateways?
> > >
> > > >
> > > >I have FW IOS feature set routers .
> > > >
> > > >what are the pros and cons of implementing
> > > >
> > > >1. native IPSEC
> > > >2. IPSEC over GRE tunnels
> > > >3. IPsec using VPDN peering beyween routers.
> > > >
> > > >cheers
> > > >
> > > >Adam

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:57 GMT-3