> Paraic OCeallaigh <paraicat_private> 02/07/00 07:54AM >>> >Hi, >Just wondering if anyone has recommendations for encryption between >Cisco routers on a Frame PVC? >We have a number of banking clients on a frame relay network who are >asking about encrypting traffic on their cisco 2500s for added seucrity >Regards, > >Paraic OCeallaigh >Technical Solutions >Cognotec Ltd >Dublin >http://www.cognotec.com > There are IOS images that will do IPSec b/w 2500 series routers over any media that will carry IP, Frame Relay included. There are several limitations to this solution: 1. The traffic has to be IP before it can be encrypted, IPX/AT/whatever typically has to be tunnelled over GRE. 2. I believe only 56 DES crypto is supported in the 2500 series at a maximum throughput of something like 128kbps. 3. Asymmetric crypto operations really tax the 68k series processor in the 2500s, so you may be looking at pre-shared key authentication without perfect forward secrecy - not particulary strong crypto in todays world. Other Cisco boxes in the same category as the 2500s have better IPSec throughput if that is an option. Cylink (http://www.cylink.com), VPNet (http://www.vpnet.com) and Western Data Comm (http://www.western-data.com) all make devices that sit between the router and the telco and encrypt on a link or PVC basis. On the plus side for the Cisco solution - the traffic to be encrypted can be specified on a very granular basis, on the downside the 2500 is probably underpowered for most crypto operations. On the plus side for the link encryptors they can be transparent to the routed infrastructure, on the downside they may have proprietary or undocumented schemes for key exchange and they present an additional point of failure in the network. Regards, tcw
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:35 PDT