Re: Frame PVC encryption options?

["TC Wolsey" <twolsey () realtech com>]

> Paraic OCeallaigh <paraic () nsl ie> 02/07/00 07:54AM >>>
> Hi,
> Just wondering if anyone has recommendations for encryption between
> Cisco routers on a Frame PVC?
> We have a number of banking clients on a frame relay network who are
> asking about encrypting traffic on their cisco 2500s for added seucrity
> Regards,
>
> Paraic OCeallaigh
> Technical Solutions
> Cognotec Ltd
> Dublin
> http://www.cognotec.com 

There are IOS images that will do IPSec b/w 2500 series routers over any media that will carry IP, Frame Relay 
included. There are several limitations to this solution:

1. The traffic has to be IP before it can be encrypted, IPX/AT/whatever typically has to be tunnelled over GRE.
2. I believe only 56 DES crypto is supported in the 2500 series at a maximum throughput of something like 128kbps.
3. Asymmetric crypto operations really tax the 68k series processor in the 2500s, so you may be looking at pre-shared 
key authentication without perfect forward secrecy - not particulary strong crypto in todays world.

Other Cisco boxes in the same category as the 2500s have better IPSec throughput if that is an option. Cylink 
(http://www.cylink.com), VPNet (http://www.vpnet.com) and Western Data Comm (http://www.western-data.com) all make 
devices that sit between the router and the telco and encrypt on a link or PVC basis. On the plus side for the Cisco 
solution - the traffic to be encrypted can be specified on a very granular basis, on the downside the 2500 is probably 
underpowered for most crypto operations. On the plus side for the link encryptors they can be transparent to the routed 
infrastructure, on the downside they may have proprietary or undocumented schemes for key exchange and they present an 
additional point of failure in the network.

Regards,

tcw