[nsp] OSPF & Encryption

atticus at satanic.org atticus at satanic.org
Tue Nov 18 12:16:41 EST 2003

> We also want to run OSPF.

As you mentioned, tunnels are really the only way to make this work. The
one upside is the usual caveat is dealing with reduced MTU (..and I've
found that not dealing with the fragmentation appropriately can introduce
as much overhead as the crypto), but since you'll own both end of the
serial interfaces, you can bump this up so that you can effectively
maintain an end-to-end 1500 mtu..

> I was going to encrypt the links using IPSec but this breaks OSPF. Cisco's
> solution seems to be to use GRE tunnels - something I don't have experience
> with. Is there a simpler way?

> Are there alternatives to IPSec for encrypting point-to-point links?

Staying within the Cisco realm, I believe your only option (and its not
really an option) is doing MPPC within PPP. I've only ever done this for
the case of PPTP, but it _should_ work.

> We have customers (we're in the financial industry) that insist that we
> encrypt our private T1s.

Though you might not like the answers, they're obviously already doing it
in some/many places, just ask them for a tech contact. Most financials
that I've done business with have a team of fulltime security people
examining your orafices that enjoy talking about this stuff.

More information about the cisco-nsp mailing list