[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modefg considered harmful



> Sorry, you lost me in the sea of acronyms.  Could you please expand
> PE and SP?  Provider Equipment and ...???

sorry... (as you say, we live in different worlds ;); PE stands for
Provider Edge device and SP for Service Provider.

> > In a scenario where sites are allowed to connect to the PPVPN using an
> > IPsec tunnel with the PE (which serves different VPNs), the SP's PE
> > would need to be pre-configured with the necessary information to
> > authenticate connecting sites as belonging to a specific PPVPN (I don't
> > believe it to be related with the customer's private addresses).
> 
> This is only one possible scenario.  In your scenario you may not care
> about ip address policy inside the tunnel, in which case you can leave
> the policy as 0/0 <-> 0/0, which is perfectly fine.  However, just
> because YOUR architecture doesn't need this feature does not imply
> that others can live without it.

I agree. We'll have to find a solution where all architectures that are
impacted can be satisfied. (isn't that what applicability statements are
for ?)

> > Once the (dynamically established IPsec) virtual interface (virtual
> > interfaces are really what's needed in the PPVPN context) is mapped to a
> 
> Again, this may be fine in a PPVPN world, but the world is not just
> PPVPN.  I want to set of host-to-gateway road-warrior VPNs, or even
> host-to-host protections.  I need to be able to dynamically set
> policies on what address to expect on any particular SPI, and I want
> these policies tied to the IKE ID.

I understand, I'm not disputing that different worlds may have different
requirements.

Jeremy.