[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: VPN Tools!

<quote who="Noah Meyerhans">

> That is not a reason to dislike IPsec; it is a reason to dislike NAT. NAT
> is a nasty kludge designed to work around the fact that IPv4 has too
> small an address space for modern Internetworking needs.

for me it is, i see no need to waste public ip space on systems
on an internal network. even at home I have 8 static ips, only
2 of my machines run with public ips(out of 9). NAT is also very
good for redudancy, at my company for example, I have 2 T1s going
to 2 different ISPs, each T1 has 1 ip assigned to dynamic NAT and
the rest of my /27 assigned to static NAT. if 1 T1 goes down I
can re-route all outbound traffic on the router(through a serial-to-
serial uplink between the 2) and have it get
NAT'd through the 2nd t1(well its already in the router) without
changing anything on the machines connecting to the net. transparent.
of course this does not work for inbound traffic.
also I can place machines "outside" my firewalls and assign them
IPs outside the range of my static NAT entries and have them be
somewhat protected because the IP that does the NAT is not reachable
(if you were to traceroute to the "real" ip that the connections
come from the route would bounce back and forth between my
router and my ISP's). NAT is a good tool. I am personally
not looking forward to IPv6. being able to remember all the IPs
of my important servers(both NAT'd and not) is useful incase for
some reason name resoultion goes down. the hex-style addressing
of IPv6 makes it much much much more difficult(for me at least).
IPv4 should be enough for a long time, it just needs to be
allocated better. I used to work at a fairly large ISP, they
installed Ascend TNTs with ~672(?) dialup lines each, I think
they wasted on average of 2 full Class Cs for each TNT they
installed. I am sure that a lot of other ISPs/companies waste
IP space too.

> ... And ideal for subnet-to-subnet or host-to-subnet inter-network VPNs.
> Its standards-based nature means that it can be made to work with
> products by numerous other vendors, which is incredibly useful if you
> need to run a VPN to to a remote site like an office or school.

i still prefer cisco's implimentation of IPSec-over-UDP more then
the "real" IPsec. I understand the reasoning behind how IPSec
works, I am just glad someone out there makes a IPSec solution that
lets me run my networks the way I want.

but thats why theres choice :)


Reply to: