Re: OT: IPsec throughput over 4 Gbps from Mohammad Moghaddas on 2012-09-01 (Ccielab archives 09/2012)

From: Mohammad Moghaddas <moghaddas.it_at_gmail.com>
Date: Sun, 2 Sep 2012 00:33:06 +0430

Thanks a lot for your bright description.
As you said, based on its cost and the line-rate I think it's what suits my
project.
But yet I'm not confident enough with the security issue, because I read in
different articles that MACsec is somehow mitigating layer2 attacks,
specially M.I.M attacks. As one the documents indicated, this protocol,
which has also became an standard these days, is somehow authenticating the
endpoints. But I think this has much lower overhead than IPsec.
I wanted to use IPsec because I don't trust the physical link between these
two points, as I've heard there are devices out there which are able to
sniff the data magnetically. So I thought that IPsec is the most secure
solution here, but the budget is the barrier now.

BTW, thanks a lot everybody

On Sun, Sep 2, 2012 at 12:20 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:

> In general MACsec is implemented in the ASIC, so it should be line rate.
> Check the hardware release notes of whichever platform youre going to use
> though just to be sure. 3750X does say its line rate, so 4Gbps throughput
> in MACsec on a 10GigE link shouldnt be a problem. As for the actual
> security of the data plane, it uses AES just like IPsec does so theyre
> comparable levels of encryption.****
>
> ** **
>
> One of the key differences between MACsec and IPsec though is that MACsec
> a hop-by-hop encryption, while IPsec is an end-to-end tunnel. So for
> example if youre routing your traffic as regular IPv4 over the Internet,
> you cant use MACsec because youd have to do it on every single link.
> However if the link is yours as layer 2 end-to-end, like dark fiber
> CWDM/DWDM or even MPLS AToM or VPLS then MACsec will work fine.****
>
> ** **
>
> This would be a good starting place for it: ****
>
> ** **
>
>
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/rel
ease/15.0_1_se/configuration/guide/swmacsec.pdf
> ****
>
> ** **
>
> ** **
>
> Good luck!****
>
> ** **
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)****
>
> bmcgahan_at_INE.com****
>
> ** **
>
> Internetwork Expert, Inc.****
>
> http://www.INE.com****
>
> ** **
>
> *From:* Mohammad Moghaddas [mailto:moghaddas.it_at_gmail.com]
> *Sent:* Saturday, September 01, 2012 8:02 AM
> *To:* Brian McGahan
> *Cc:* Ryan West; Cisco certification
> *Subject:* Re: OT: IPsec throughput over 4 Gbps****
>
> ** **
>
> And another question, how does MACsec affect switch performance?
> Could a 3750X handle 4 Gbps of throughput using MACsec?
>
> ****
>
> On Sat, Sep 1, 2012 at 7:24 PM, Mohammad Moghaddas <moghaddas.it_at_gmail.com>
> wrote:****
>
>
> Hi Brian,
> You mean that I can use 3750X platform plus 10G module and MACsec?
> Is it as secure as IPsec?****
>
>
>
> ****
>
> On Sat, Sep 1, 2012 at 6:42 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:***
> *
>
> Is it an Ethernet link? If its already point to point layer 2 you could
> look into running MACsec instead of IPsec.
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com****
>
>
> On Sep 1, 2012, at 6:05 AM, "Ryan West" <rwest_at_zyedge.com> wrote:
>
> > 5585-x with SSP60, 5gbps capable.
> >
> > Sent from handheld
> >
> > On Sep 1, 2012, at 8:38 AM, "Mohammad Moghaddas"****
>
> > <moghaddas.it_at_gmail.com<mailto:moghaddas.it_at_gmail.com>> wrote:
> >
> > Thanks for your quick response Ryan.
> > What about ASA?
> > Is there any other solutions out there? Even from another vendor than
> Cisco?
> >
> >
> > On Sat, Sep 1, 2012 at 4:47 PM, Ryan West****
>
> > <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
> > It's going to be expensive, look at your options in the ASR line. Afaik,
> none
> > of the G2's are going to push, even unencrypted.
> >
> > Sent from handheld
> >
> > On Sep 1, 2012, at 8:12 AM, "Mohammad Moghaddas"****
>
> > <moghaddas.it_at_gmail.com<mailto:moghaddas.it_at_gmail.com>> wrote:
> >
> >> Hi there.
> >> I need to run IPsec between two directly connected points with fiber,
> but
> >> the traffic throughput will be about 4 Gbps.
> >> Only IPsec will be run on these two points and no other protocols (no
> >> routing, no pbr, no nat, no qos, nothing)
> >> Is there any option except using 7600 series plus IPsec SPA?
> >> Is it possible on 3900 plus HSEC? But I didn't find any 10G module for
> >> these routers. And what about 2900?
> >> Sharing your experiences will be appreciated.
> >>
> >> Best Regards.
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >****
>
> ** **
>
> ** **

Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 02 2012 - 00:33:06 ART

This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART