[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributing site-wide RFC 3484 policy

To: v6ops@ops.ietf.org
Subject: Re: Distributing site-wide RFC 3484 policy
From: itojun@itojun.org (Jun-ichiro itojun Hagino)
Date: Wed, 25 Jul 2007 01:40:17 +0900 (JST)
In-reply-to: Your message of "Tue, 24 Jul 2007 18:18:00 +0200" <46A62638.2040302@gmail.com>
References: <46A62638.2040302@gmail.com>

> > 	do you plan to have source addresses with different reachabilty with
> > 	VPN and stuff, even with IPv6 where no private address would be
> > 	deployed hopefully?
> 
> I wouldn't design things that way, but I believe that corporate notions
> of security and business partnerships will cause this to happen.
> In fact I agree with Phill Hallam-Baker that the *best* way to solve
> this is by applications-level strong security such as Web Services Security,
> but I am not optimistic that this will be adopted by everybody.

	if you agree with Phill, you should make efforts to that direction!

> > 	of course you can run IPsec tunnels or other VPN technologies by using
> > 	global IPv6 addresses.
> 
> Yes, but you may still have complexity because only some hosts in company A
> can reach only some hosts in B via the VPN. DNS gets complex and messy too.

	yeah, there are various ways to solve DNS issues, i don't think there
	is a perfect solution.  but DNS issue does not have to do things with
	IP-layer reachability.

itojun

References:
- Re: Distributing site-wide RFC 3484 policy
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

Prev by Date: Re: Comments on addr-select-sol
Next by Date: Re: CPE equipments and stateful filters
Previous by thread: Re: Distributing site-wide RFC 3484 policy
Next by thread: Re: Distributing site-wide RFC 3484 policy
Index(es):
- Date
- Thread