[j-nsp] MX960 vs MX10K
Alexander Arseniev
arseniev at btinternet.com
Thu Mar 5 16:19:52 EST 2020
Hello,
Ok , when saying "not stateful in any meaningful way" I believe You
meant data plane encryption/decryption only - barebone IPSec without IKE
exchange and without anti-replay, or do You?
And JUNOS BFD variant (c) requires "anchor PFE" - actually not the PFE
as "forwarding chip" but "PFE" as short way of saying "linecard CPU that
runs PPMD" which processes BFD packets from all linecards.
Thanks
Alex
------ Original Message ------
From: "Saku Ytti" <saku at ytti.fi>
To: "Alexander Arseniev" <arseniev at btinternet.com>
Cc: "Juniper List" <juniper-nsp at puck.nether.net>
Sent: 05/03/2020 16:29:57
Subject: Re: Re[2]: [j-nsp] MX960 vs MX10K
>On Thu, 5 Mar 2020 at 18:05, Alexander Arseniev <arseniev at btinternet.com> wrote:
>
>
>> I would expect the "IPSEC anchor PFE", just like it is done with BFD et
>> al a.t.m.
>> That anchor PFE maintains IKE exchange sequences/anti-replay etc and any
>> IKE/IPSec packet arriving on a different PFE would be redirected there.
>> Same thing really what currently happens on a Services card.
>
>I'm not sure what you mean by BFD here. BFD can be done in various ways
>
>a) RPD
>b) PPMd on RE CPU
>c) PPMd on LC CPU
>d) Inline on NPU
>
>If you do it on d) it's done the NPU where the neighbour is, entirely
>on the NPU.
>
>And sure there is signalling in IPSEC, just like there is in BGP,
>which is not done in hardware. But actual bit pushing is done in
>hardware.
>
>
>--
> ++ytti
More information about the juniper-nsp
mailing list