[j-nsp] MX960 vs MX10K
Alexander Arseniev
arseniev at btinternet.com
Thu Mar 5 11:04:59 EST 2020
------ Original Message ------
From: "Saku Ytti" <saku at ytti.fi>
>IPSEC isn't stateful in any meaningful way If you can implement MACSec
>it shouldn't take much more transistors to do IPSEC.
I always thought maintaining anti-replay counters/IKEv exchange
sequences etc is a stateful job, just like TCP handshake/SEQ numbers,
no?
>
>Indeed current gen (post EA, i.e. ZT and YT) Trio does IPSEC in every port.
>
I would expect the "IPSEC anchor PFE", just like it is done with BFD et
al a.t.m.
That anchor PFE maintains IKE exchange sequences/anti-replay etc and any
IKE/IPSec packet arriving on a different PFE would be redirected there.
Same thing really what currently happens on a Services card.
Thanks
Alex
>
More information about the juniper-nsp
mailing list