Re: Distributing site-wide RFC 3484 policy

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

On 2007-07-24 18:05, Jun-ichiro itojun Hagino wrote:
> > > 	- alain durand said that he would prefer to have single IPv6 address
> > > 	  on a node.  i would not go that far (for renumbering and multi-
> > > 	  address multihoming) but i object to have addresses with different
> > > 	  reachability or "scoping".
> > Yes, they are horrible, but they are not possible to avoid in the complex
> > topology created by corporate networks and VPNs.
>
> 	do you plan to have source addresses with different reachabilty with
> 	VPN and stuff, even with IPv6 where no private address would be
> 	deployed hopefully?

I wouldn't design things that way, but I believe that corporate notions
of security and business partnerships will cause this to happen.
In fact I agree with Phill Hallam-Baker that the *best* way to solve
this is by applications-level strong security such as Web Services Security,
but I am not optimistic that this will be adopted by everybody.
> 	of course you can run IPsec tunnels or other VPN technologies by using
> 	global IPv6 addresses.

Yes, but you may still have complexity because only some hosts in company A
can reach only some hosts in B via the VPN. DNS gets complex and messy too.

   Brian