On Sunday, February 2, 2003, at 11:11 PM, Dick St.Peters wrote:
Ok, if that's the case, what's wrong with RFC 1918 space in the DMZ??? If this DMZ is only ever accessed over a VPN, using globally routable IP space is just plain wasteful.Giving a remote site access to the DMZ over the VPN is exactly the example intended.
Yes, you're correct, primarily in the case of AH, which because of it's lack of payload encryption is almost never used. In fact, you're better off using ESP with a null cipher instead. You cited the example of a DMZ. When one defines a DMZ (using the generally accepted definition of such), you're usually exposing services to the Internet. That's where the NAT comes in. You do realize you can use NAT for clear traffic and no NAT for VPN traffic, right?It's odd to see an IPsec advocate speaking highly of NAT. NAT changes packets checksums, which disables some things - IPsec being the most commonly-cited example.
Not in the examples I've given. In my examples, net2 and net3 are adjacent, allowing you to define a single tunnel for the solution. Why do you simply refuse to plan a network, rather than let it grow willy-nilly?If an IPsec tunnel links net1 to net2, and you establish a route through it from net1 to net3, the IPsec tunnel will refuse to carry the packets. You may not call that filtering, but that's what it is.
Wow, I'm impressed. However, someone with that much experience should know this stuff. Since this seems to be degenerating into you telling us what a network genius you are, and me telling you that you aren't, let's just leave it here, eh? The point of my statement was that I've built a large number of VPNs and a larger number of networks, and I've never once had to re-architect a network just to deploy an IPsec VPN. The way you talk about IPsec, you seem to think that you need to plan networks around it. My point is simple. If you PLAN your network, rather than just let it grow willy-nilly, you will never problems trying to implement a VPN (from the network perspective). That is, your problems, if any, will stem from human error or software defect.I've been building networks for 13 years, and VPNs for 7 years. I've never once had to re-architect a network to deploy an IPsec VPN. Some IPsec configurations have been easier than others, and those are the ones done on *well-planned* networks.Show and tell time, eh? Ok, I built my first IP network in 1983. That network became one of the two foundation networks for the GE Corporate network.
You also seem hung up on this notion of a "virtual wire" and how you seem to think that IPsec doesn't act like one. As another poster has pointed out, an IPsec tunnel meets your definition of a "virtual wire".
--
Jason Costomiris <><
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
