[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Modefg considered harmful
> Sorry, you lost me in the sea of acronyms. Could you please expand
> PE and SP? Provider Equipment and ...???
sorry... (as you say, we live in different worlds ;); PE stands for
Provider Edge device and SP for Service Provider.
> > In a scenario where sites are allowed to connect to the PPVPN using an
> > IPsec tunnel with the PE (which serves different VPNs), the SP's PE
> > would need to be pre-configured with the necessary information to
> > authenticate connecting sites as belonging to a specific PPVPN (I don't
> > believe it to be related with the customer's private addresses).
>
> This is only one possible scenario. In your scenario you may not care
> about ip address policy inside the tunnel, in which case you can leave
> the policy as 0/0 <-> 0/0, which is perfectly fine. However, just
> because YOUR architecture doesn't need this feature does not imply
> that others can live without it.
I agree. We'll have to find a solution where all architectures that are
impacted can be satisfied. (isn't that what applicability statements are
for ?)
> > Once the (dynamically established IPsec) virtual interface (virtual
> > interfaces are really what's needed in the PPVPN context) is mapped to a
>
> Again, this may be fine in a PPVPN world, but the world is not just
> PPVPN. I want to set of host-to-gateway road-warrior VPNs, or even
> host-to-host protections. I need to be able to dynamically set
> policies on what address to expect on any particular SPI, and I want
> these policies tied to the IKE ID.
I understand, I'm not disputing that different worlds may have different
requirements.
Jeremy.