On Dec 4, 2011, at 2:26 PM, Joel jaeggli wrote:
It's not a question of starting. outside of some small number of
developed economies mobile carriers and a number of wireline providers
were always depolyed that way, or out of squat space however bad an idea
that may have been.
OK, yeah "started" is not a good word. It's been that way for a good while.
the vpn connection is going to work, it's being established against a
public endpoint. the risk for a collision between the resulting routing
tables is scoped to the netmask of that outside interface.
Nope. The VPN transport layer connection works of course - the resulting
internal routes learned inside it break. Obviously if the netmask/subnets work
out right you're ok. But that's the rub - how do we know what they could be?
This isn't just some simple model of a single corporate 10.x.x.x subnet you're
reaching through a VPN; big/medium companies have multiple internal private
networks, including labs and remote branches and such.
enterprises have a lot of experience with this, it's a necessary
consequence of supporting mobile users whether they are wireless or in
hotels.
And it actually breaks in practice. I'm not speaking of hypotheticals - it's
happened to me, at more than one employer.
I don't disagree similar problems happen in hotel networks (that's happened to
me too, at an IETF meeting hotel years ago if I recall right)... but do we want
to say the ISPs have to use a hotel model of "click this and pay more for a
VPN-capable connection" instead of allocating them a /10? [note: I realize
hotels do this to also make legacy unencapsulated IPsec vpn's work, but I'm not
talking about that]
-hadriel
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf