--- Begin Message ---
------ Original Message ------
From: "Saku Ytti" <[email protected]>
IPSEC isn't stateful in any meaningful way If you can implement MACSec
it shouldn't take much more transistors to do IPSEC.
I always thought maintaining anti-replay counters/IKEv exchange
sequences etc is a stateful job, just like TCP handshake/SEQ numbers,
no?
Indeed current gen (post EA, i.e. ZT and YT) Trio does IPSEC in every port.
I would expect the "IPSEC anchor PFE", just like it is done with BFD et
al a.t.m.
That anchor PFE maintains IKE exchange sequences/anti-replay etc and any
IKE/IPSec packet arriving on a different PFE would be redirected there.
Same thing really what currently happens on a Services card.
Thanks
Alex
--- End Message ---
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
