Application Acceleration
Reply
Visitor
Demarco
Posts: 4
Registered: ‎02-03-2009
0

Encryption license and deployment questions

Hi, We just recieved the liceneses to upgrade our community of approximately 125 devices (a pair of WXC590's at each of our two redundant hub locations & about 120 spoke sites with WXC250's).  We intend to use CMS to do the license upgrade deployments.  Everything is off-path within our environment and configured as WCCP (locall seen only) multicast groups.

 

1. Can you point me to the documentation that will explain the details of doing this (via CMS).

2. From our understanding, currently the tunnels consist of AFP encapsulation packet type 108.  Does this imply that they are using UDP port 108 as the transport?  Once the encryption license is applied... Will that change, and if so, to what.  (i.e. TCP 443)?

3. Must SSL certificates be imported for all encrypted traffic that we desire to compress?  Will other types of decryption/encryption be supported?

4.  Are there any caveats to doing the whole community en mass or should we migrate in a slower phased approach?

 

Recognized Expert
DannyJ
Posts: 319
Registered: ‎11-02-2007
0

Re: Encryption license and deployment questions

Hello,

 

I will reply to some of this in the forum. With regard to your first question, its really beyond the scope of this forum to answer that that level of a detailed question, have you taken a look in the CMS manual, as there is good documentation here to start with. Please work with your Juniper partner or Juniper SE for advise of this level.

 

 

 

2. From our understanding, currently the tunnels consist of AFP encapsulation packet type 108.  Does this imply that they are using UDP port 108 as the transport?  Once the encryption license is applied... Will that change, and if so, to what.  (i.e. TCP 443)?

(DJJ) No, protocol 108 is IPCOMP.  Once you apply the encryption license you have the option to encrypt the data over the WAN using IPSEC, we use ESP by the way with AEDS/3DES encryption.

 

 

3. Must SSL certificates be imported for all encrypted traffic that we desire to compress?  Will other types of decryption/encryption be supported?

(DJJ), You only need to import the SSL certidicate into the box infront of the servers where they key is located, so typically the key are imported just into the data-centre boxes.

 

4.  Are there any caveats to doing the whole community en mass or should we migrate in a slower phased approach?

 (DJJ) when you refer to migrate are you refering to deploying IPSEC encryption. if so I'd do it gradually over time.

Danny Jump
Technical Marketing Manager - Access and Acceleration Business Unit
Visitor
Demarco
Posts: 4
Registered: ‎02-03-2009
0

Re: Encryption license and deployment questions

Hello,

 

I will reply to some of this in the forum. With regard to your first question, its really beyond the scope of this forum to answer that that level of a detailed question, have you taken a look in the CMS manual, as there is good documentation here to start with. Please work with your Juniper partner or Juniper SE for advise of this level.

(Demarco) Was just asking if you had a handy link to the CMS documentation on performing this task.  But, I will find that though and discuss further with our Juniper SE.  Thanks!

 

 

2. From our understanding, currently the tunnels consist of AFP encapsulation packet type 108.  Does this imply that they are using UDP port 108 as the transport?  Once the encryption license is applied... Will that change, and if so, to what.  (i.e. TCP 443)?

(DJJ) No, protocol 108 is IPCOMP.  Once you apply the encryption license you have the option to encrypt the data over the WAN using IPSEC, we use ESP by the way with AEDS/3DES encryption.

(Demarco) I had a brain fart - my mistake in calling IPComp --> AFP.  So, just to ensure I captured your response correctly...IPComp is UDP port 108?  If we encrypt data on the WAN, it then becomes TCP port 443?  Is that correct, or will it stay as UDP port 108?  Basically, we want to ensure (with WCCP redirect ACL deny statements) going forward that we do not tunnel already tunneled traffic during fault scenarios within our WAN.

 

3. Must SSL certificates be imported for all encrypted traffic that we desire to compress?  Will other types of decryption/encryption be supported?

(DJJ), You only need to import the SSL certidicate into the box infront of the servers where they key is located, so typically the key are imported just into the data-centre boxes.

(Demarco) OK.Thank you!

 

4.  Are there any caveats to doing the whole community en mass or should we migrate in a slower phased approach?

 (DJJ) when you refer to migrate are you refering to deploying IPSEC encryption. if so I'd do it gradually over time.

(Demarco) No, really just asking is there any risk in enabling the license feature in the whole community at once?

 

Danny Jump
Technical Marketing Manager - WABU

 

 

 

Recognized Expert
DannyJ
Posts: 319
Registered: ‎11-02-2007
0

Re: Encryption license and deployment questions

2. From our understanding, currently the tunnels consist of AFP encapsulation packet type 108.  Does this imply that they are using UDP port 108 as the transport?  Once the encryption license is applied... Will that change, and if so, to what.  (i.e. TCP 443)?

(DJJ) No, protocol 108 is IPCOMP.  Once you apply the encryption license you have the option to encrypt the data over the WAN using IPSEC, we use ESP by the way with AEDS/3DES encryption.

(Demarco) I had a brain fart - my mistake in calling IPComp --> AFP.  So, just to ensure I captured your response correctly...IPComp is UDP port 108?  If we encrypt data on the WAN, it then becomes TCP port 443?  Is that correct, or will it stay as UDP port 108?  Basically, we want to ensure (with WCCP redirect ACL deny statements) going forward that we do not tunnel already tunneled traffic during fault scenarios within our WAN.

(DJJ) No, protocol 108 is IPCOMP. Its a totally different transport protocol to UDP which is protocol 17. We typically use ports 3577 and 3578 for connections between the boxes. When you encrypt using IPSEC/ESP its protocol 50.

 

Danny Jump
Technical Marketing Manager - Access and Acceleration Business Unit
Visitor
Demarco
Posts: 4
Registered: ‎02-03-2009
0

Re: Encryption license and deployment questions

2. From our understanding, currently the tunnels consist of AFP encapsulation packet type 108.  Does this imply that they are using UDP port 108 as the transport?  Once the encryption license is applied... Will that change, and if so, to what.  (i.e. TCP 443)?

(DJJ) No, protocol 108 is IPCOMP.  Once you apply the encryption license you have the option to encrypt the data over the WAN using IPSEC, we use ESP by the way with AEDS/3DES encryption.

(Demarco) I had a brain fart - my mistake in calling IPComp --> AFP.  So, just to ensure I captured your response correctly...IPComp is UDP port 108?  If we encrypt data on the WAN, it then becomes TCP port 443?  Is that correct, or will it stay as UDP port 108?  Basically, we want to ensure (with WCCP redirect ACL deny statements) going forward that we do not tunnel already tunneled traffic during fault scenarios within our WAN.

(DJJ) No, protocol 108 is IPCOMP. Its a totally different transport protocol to UDP which is protocol 17. We typically use ports 3577 and 3578 for connections between the boxes. When you encrypt using IPSEC/ESP its protocol 50.

(Demarco) OK got it.  So during WAN link failures - Sight A traffic passes through site B to get to campus.  To keep site B's WXC from attempting to tunnel site "A's" already tunneled traffic, could we just add the following ACL adjustment (on a competitor's router product):

 

ip access-list extended into_WCCP

10 deny 50 any any

20 deny 108 any any

 

or would we also need to add:

30 deny udp any eq 3577 any

40 deny udp any eq 3578 any

 

Recognized Expert
DannyJ
Posts: 319
Registered: ‎11-02-2007
0

Re: Encryption license and deployment questions

Do you gave a network diagram you can share so I'm fully understand how this hangs together please?
Danny Jump
Technical Marketing Manager - Access and Acceleration Business Unit
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.