[f-nsp] Brocade IPSEC modules

Mon Aug 22 17:51:46 EDT 2016

Hay Folks,
Don’t want to bombard you with marketing crap, but if you divide the cost of the module by the total aggregate speed (44Gb encryption engine) the cost per 1Gb of encrypted throughput is the lowest in the market; the module is still 2X the throughput of the closest module available on the  Juniper MS-DPC; the encryption engine on a Catalyst WS-IPSEC-3 module is only 8 Gbps.  If you’re deploying IPSec on a Cisco ASR, you’re also looking at an additional $10K charge for the IPSEC license in IOS after you buy the actual module. We don’t license any software features, IPSec included, on the MLXe.

The IPSec module has 4X10G and 4X1G interfaces and uses an FPGA based encryption engine that sits directly on the module, so you don’t have to dedicate a separate slot on the router for an encryption service module. The up side to this approach is that data doesn’t make a U-turn through the chassis to a service module to be encrypted; every time you’re sending any data to a separate service module, you’re burning backplane banwidth twice because of the intermediate hop to the service module.

We’re not bullshi**ing on performance; you can push *bidirectional* line-rate encrypted traffic streams across all the 10G and 1G ports, with 9.2K Jumbo packets, and the module will never drop a packet. You can also stack every module in an MLXe with an IPSec module, while still running line-rate, and we actually support running 32 IPSec module in an MLXe-32 (yes, there are actually customers that need this amount of encryption).  This module was primarily built for Federal/DOD customers, so it support Common Criteria & FIPS with Elliptic Curve encryption and AES-256, again…all in an FPGA based engine, not a L7 application process in our code. The module contains 3GB of buffers to help with bursty traffic and supports 512 IPv4 routs, so you can use it as an egress port into a large BGP core. All of the existing IPv4/IPv6 & L2 features on the MLXe work across the module, so it can be inserted into an existing MPLS or BGP backbone.

But yeah, it’s still an expensive module. Part of the target market are customers with FIPS, HIPPA, or PCI requirements who are required to bulk encrypt traffic across their WAN or at their datacenter’s edge. If someone needs less than 10Gb or encrypted throughput, then the IPSec module for the ICX is a much better fit and shares a lot of the architecture of the MLXe IPSec module. The MLXe IPSec module can terminate IPSec tunnels for the ICX, so it’s a good solution for aggregating multiple IPSec tunnels from remote sites. Later this year we should also be able to support terminating IPSec tunnels from vRouter, so you will be able to leverage it as a IPSec cloud-bridging solution for applications running in AWS.

Wilbur

From: foundry-nsp [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of Eldon Koyle
Sent: Monday, August 15, 2016 8:32 AM
To: Michael Gehrmann <mgehrmann at atlassian.com>
Cc: foundry-nsp <foundry-nsp at puck.nether.net>
Subject: Re: [f-nsp] Brocade IPSEC modules

I'm still trying to recover from the sticker shock.  They only have one option for ipsec, a 4-port 10g card that lists for $120k in the US.

--
Eldon

On Aug 14, 2016 22:21, "Michael Gehrmann" <mgehrmann at atlassian.com<mailto:mgehrmann at atlassian.com>> wrote:
Has anyone experienced/used the IPSEC modules for MLX or the like?

Good/Bad/Ugly?

--
Michael Gehrmann

_______________________________________________
foundry-nsp mailing list
foundry-nsp at puck.nether.net<mailto:foundry-nsp at puck.nether.net>
http://puck.nether.net/mailman/listinfo/foundry-nsp<https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_mailman_listinfo_foundry-2Dnsp&d=DQMFaQ&c=IL_XqQWOjubgfqINi2jTzg&r=l86Fj-WC0GHHSCjQjuUvTzxOj0iW25AHL3VIC5Dog8o&m=kMlOv2qnUiPnfc42sOTnEFeFcn73KW8Fzu4vdzYoLio&s=sfWvpeKTr5SD77pBtArKs7aqoLaYHf5tERLTXiS-eys&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20160822/3de0e98c/attachment.html>