Late last year I was playing with pfsense in order to replace ssh+vtund connections between sites with a cleaner ipsec rig. To that effect I set up 2 soekris 5501 with HiFn crypto accelerators, directly connected via a Cat-6 ethernet cable, both running pfsense-1.2 (I forget which release candidate) and was able to pipe 20Mb/s using 256 bit-AES ESP (note the little b as bit, not byte). I controlled for ethernet limitation by sending 8x-10x as much data over the same link without ipsec.

When building a global network, you start building out knobs (usually implemented as routing policies): cost, packet loss, latency, maintenance, diversity, isolation, "special" [Really funny analogy between anycast and toilets, caching and water supply] After having developed routing policies, you start looking into anycast. One of the first services to be anycast is DNS. Anycast scaling: vip, ecmp Anycast considerations: how to monitor services? how to control users? how to handle transient network events?