Re: Distributing site-wide RFC 3484 policy

[itojun@itojun.org (Jun-ichiro itojun Hagino)]

> > 	so do you mean that your enterprise does not have external connectivity?
> 
> External connectivity isn't necessarily available for VPN users,
> because VPN connection is usually for retrieving resources in
> enterprise network like e-mail and web pages.
> Even if it's available, you may not love to use degraded-quality
> connectivity instead of not degraded one.

	but the above problem is not specific to VPN, right?
	- you have some connectivity from your laptop - either directly from
	  your laptop or via some router(s)
	- some connectivity is restricted compared to another, in some way
	  such as (a) bandwidth (b) price (c) NATed (d) slow (e) inefficient
	  path due to tunnelling (f) limited reachability (g) you name it.

	it really is a policy routing problem.  you have to solve it WITHOUT
	global knowledge.  the way you (and probably other guys) are proposing
	with "distribution of policy table" is, using god's point-of-view.

	and after more than 10 years of policy routing researches, there's not
	a single viable solution, as far as i know.

> > 	how do you use Google from your enterprise, for instance?
> 
> We are told to use home-made search engine, instead of Google ;)

	so that you cannot find offensive stuff or they can keep track of
	keywords.  ok, i hope you are happy with that environment :-)

itojun