Solved: Re: What is the replacement for ISM-VPN-29 in ISR 4000 routers?

eliastefera · ‎10-23-2017

What is the replacement for ISM-VPN-29 in ISR 4000 routers?

bolick · ‎10-24-2017

The short answer is there isn't one.

The slightly longer answer is that you don't need one because we give it to you for free.

The much longer answer:

The ISM-VPN-29 along with all crypto modules for the ISR G2 added additional hardware crypto functionality to the router. All ISR G2s did encryption in hardware, but the default system did not include enough hardware to fill the router forwarding capacity with encrypted traffic. Hardware encrypters are expensive especially when the ISR G2s were developed. The ISM-VPN gave you additional capacity to fill the box with encrypted traffic.

When the ISR 4Ks were developed hardware encryption had come down in price to the point it was possible to include hardware encryption that could fill the box. Essentially that's like including an ISM-VPN on every ISR4K that you buy so it isn't needed. We do have the option in the future of using the ISE (Integrated Services Engine) slot inside the ISR4K to add more crypto capacity if we do ever need it. That might happen if there's an especially complex transform set that means our on-board crypto can't keep up with the data plane. So far that hasn't happened so we've never built, and likely never will build, and ISE-VPN.

An interesting side-effect of that has to do with US Department of Commerce export controls. They control how much "strong encryption" we can export in order to make sure that it isn't going to embargoed countries. To comply with that we have to record who the end customer is for all strong encryption so they can guarantee it isn't going somewhere they don't like. (We have to record it but we don't send it to them unless they ask. AFAIK they've never asked.) That's relatively easy with an ISM-VPN. We just track where that hardware is ordered and we're done (the ASR1K uses a similar mechanism). With the ISR4K we don't have a hardware order we can track, so we have to use the HSEC license which opens up the box encryption capacity to "export controlled" levels. Since we have to track the end-user for HSEC licenses that means that it has to be an enforced license tied to the box which is why HSEC is the only node-locked license that must be installed on the box. That's just something to be aware of because this can cause a headache for resellers and integrators who often order hardware before they know exactly where it's going.

View solution in original post

bolick · ‎10-24-2017

The short answer is there isn't one.

The slightly longer answer is that you don't need one because we give it to you for free.

The much longer answer:

The ISM-VPN-29 along with all crypto modules for the ISR G2 added additional hardware crypto functionality to the router. All ISR G2s did encryption in hardware, but the default system did not include enough hardware to fill the router forwarding capacity with encrypted traffic. Hardware encrypters are expensive especially when the ISR G2s were developed. The ISM-VPN gave you additional capacity to fill the box with encrypted traffic.

When the ISR 4Ks were developed hardware encryption had come down in price to the point it was possible to include hardware encryption that could fill the box. Essentially that's like including an ISM-VPN on every ISR4K that you buy so it isn't needed. We do have the option in the future of using the ISE (Integrated Services Engine) slot inside the ISR4K to add more crypto capacity if we do ever need it. That might happen if there's an especially complex transform set that means our on-board crypto can't keep up with the data plane. So far that hasn't happened so we've never built, and likely never will build, and ISE-VPN.

An interesting side-effect of that has to do with US Department of Commerce export controls. They control how much "strong encryption" we can export in order to make sure that it isn't going to embargoed countries. To comply with that we have to record who the end customer is for all strong encryption so they can guarantee it isn't going somewhere they don't like. (We have to record it but we don't send it to them unless they ask. AFAIK they've never asked.) That's relatively easy with an ISM-VPN. We just track where that hardware is ordered and we're done (the ASR1K uses a similar mechanism). With the ISR4K we don't have a hardware order we can track, so we have to use the HSEC license which opens up the box encryption capacity to "export controlled" levels. Since we have to track the end-user for HSEC licenses that means that it has to be an enforced license tied to the box which is why HSEC is the only node-locked license that must be installed on the box. That's just something to be aware of because this can cause a headache for resellers and integrators who often order hardware before they know exactly where it's going.