Hi,
On Tue, Nov 18, 2008 at 06:29:54PM -0600, james woodyatt wrote:
> >OK, I bite. What answer do you give to folks that need to renumber
> >things like site-to-site VPN endpoints, which affects lots of
> >configuration
> >to be changed by *other* folks (their VPN peers)?
>
> Please, help me understand why solving this problem requires storing
> IP addresses in persistent storage without a coherent caching
> protocol. I'm not seeing it-- probably because I'm not sure I
> understand the nature and scope of the problem very well.
Uh, well, people usually configure their VPN endpoints (site-to-site,
not roadwarrior-to-home) with IP addresses.
> For the sake of argument, I'll accept that reasonable people currently
> perceive it to be necessary. My hunch is that those folks should
> probably be using DNS-SD instead of the fragile cruftiness they're
> struggling against now. Maybe if I understood the problem better, I
> could suggest a more detailed alternative to their current solution.
Well. Yes. I've spent some time after my e-mail yesterday to think about
this, and actually using DNS (plus some sort of "not completely braindead
IPSEC implementation") might just work, provided one can get old+new
addresses working for long enough to DNS to propagate.
Which is not instantaneous, as soon as it leaves the local domain.
Now *this* aspect reduces itself to "educated people that DNS is good"
and "educate firewall vendors to write useful IPSEC code".
Another thing that is regularily mentioned regarding "why renumbering is
hard" is access-lists (aka "firewall rules"). DNS as well?
Gert Doering
-- NetMaster
--
Total number of prefixes smaller than registry allocations: 128645
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Attachment:
pgp2KjvR0HMrJ.pgp
Description: PGP signature