large scale ipsec

Scott Weeks surfer at
Fri Nov 1 18:30:55 UTC 2013

--- morrowc.lists at wrote:
From: Christopher Morrow <morrowc.lists at>

One good reason to not do link encryption is: "the problem is that
whackadoodle box you put outside the router!" :( most often those
boxes can't do light-level monitoring, loopbacks, etc... all the stuff
your NOC wants to do when 'link flapped,doh!' happens.

Yes!  It is really hard to work with those things for the reasons
you mention and they tend to be the culprit quite often.  Also,
a lot of times it adds more finger pointing as there tends to be
a different group taking care of just the bulk encryptors.  Last,
I have seen some strange behaviors, such as not passing BPDUs.
That makes VLANing *phun*.  Not!


More information about the NANOG mailing list