"Mark" == Mark Andrews <marka(_at_)isc(_dot_)org> writes:
Mark> This is not a ISP/CUSTOMER problem. This is a
Mark> ISP/CUSTOMER/WORK problem.
Mark> You have the ISP using 172.16/12 You have the customer using
Mark> 192.168/16 or 10/8 You have WORK using 172.16/12
Mark> Enterpises have choosen to use 172.16/12 for EXACTLY the same
Mark> reasons you want ISP to use 172.16/12. CPE equipment doesn't
Mark> default to that range. Both the enterprise and the ISP don't
Mark> want to clash with the employee/customer.
It's not in general a problem unless the tunnel to work is terminated on
the CPE device itself. For the normal case, the *DEKSTOP/LAPTOP*
terminates the VPN, and so it sees CUSTOMER and WORK prefixes, while
CPE device sees CUSTOMER and ISP prefixes. WORK sees WORK and Public-IP
prefixes.
In the case where the VPN is terminated on the CPE device, I claim three
things:
a) customer/WORK is sophisticated and can communicate about problem.
b) the CPE device already has a public IP on the outside, the ISP
should not renumber it.
c) the CPE device can be given a host route for it's default gateway,
and it has no reason to talk to any other host in the ISPs CGN
network anyway.
(Openswan installs a host route via the old default route for ESP
traffic, and a pair of 0.0.0.0/1 and 128.0.0.0/1 routes through the
tunnel if you are extruding. This avoids removing the default route...)
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr(_at_)sandelman(_dot_)ottawa(_dot_)on(_dot_)ca
http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
pgpCYpLVoUFao.pgp
Description: PGP signature
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf