[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributing site-wide RFC 3484 policy



Brian E Carpenter wrote:
On 2007-07-25 00:53, Jun-ichiro itojun Hagino wrote:
    as i mentioned previously, VPN is about how to
    - encrypt/authenticate communication with your laptop and your
      organization (like IBM)
    - and pretend that you are inside your organization network

    there's no real point in using, or requiring, ULA for this.
    you can just use IBM PI or PA for the IPv4/v6 address inside the
    IPsec tunnel.  i wonder what Apple corporate VPN is using - i guess
    it would be within 17.0.0.0/8.
Please think about a case like you wanna use the Internet at home and at the same time the enterprise network via VPN connection. The address you get from the latter network is IPv6 global address but its scope is limited to the enterprise network.

so do you mean that your enterprise does not have external connectivity?
    how do you use Google from your enterprise, for instance?

Today, I fear it is often NATted. Obviously that is not the future.

I expect to see many enterprises use ULA for internal traffic
and PA or PI for Google. But I was actually thinking about VPNs between
business partners, which create "fingers" of reachability for small
subsets of address space that are shared by pairs of enterprises.
This can get very complex when many companies have mutual business
relationships. I can't even think how to draw it in ASCII art.

In IPv4, you can access to multiple different scoped networks owing
to NAT. When you want to access the global Internet, your address
will be overitten by global IPv4 address somewhere, and when you
want to access rather private system, your address will not be changed
or changed to another private address.

How do you make this network move onto the v6 world ?
I believe one of the possible and practical answer is to have multiple
addresses attached to a host combined with appropriate address selection
control.