Re: More VPN info

[Jason Costomiris <jcostom jasons org>]

On Saturday, February 1, 2003, at 09:31  PM, Dick St.Peters wrote:

> Jason Costomiris writes:
>
> > On Saturday, February 1, 2003, at 03:17  PM, Dick St.Peters wrote:
> >
> > > > net1 <--> net2/net3
> > > >
> > > > This requires good network planning.
> > >
> > > No, this requires planning your network around IPsec, which is not 
> > > the
> > > same thing as good network planning.  Other VPN technologies fit into
> > > the network you have ... or that you may want to have for other
> > > reasons.
> >
> > That's silly.  Planning your network so that you can aggregate the
> > networks at each site into a single network  has nothing to do with
> > planning your network around IPsec.  It has everything to do with
> > minimizing configuration of whatever connectivity solution you deploy,
> > be it IPsec, some random VPN, private links or even frame relay.
>
> Oh yee of little imagination ... start with the obvious case: two NICs
> on the gateway, one in net2, the site's DMZ, another in net3, its
> internal network.  Aggregate that one.

Well, I'm sure you mean 3 nics, since you're using one in the internal 
net, the other in a DMZ, the 3rd on the outside.  Aggregate that?  Uh, 
what's the problem?  Both networks are connected to the same gateway.  
You *PLAN* and use adjacent subnets, such as say 192.168.10.0/24 for 
net2 and 192.168.11.0/24 for net3 (ie. 192.168.10.0/23).  Little 
imagination my foot. :)

> For another, try having net2 and net3 be at different sites, where the
> two sites represent two previously different companies that just
> merged.  One numbered out of 192.168.0.0/16, the other out of 10/8.

Ok, that's not a big deal either.  If both sites are well planned, it 
doesn't matter that each site came out of different RFC1918 spaces.  
You don't aggregate both sites into a single route, at least in your 
example.  You'd only do that if you were deploying a hub and spoke and 
putting routes on the spoke sites.  If that's the case, it's one or two 
extra routes in what would most likely be a fair number already.  In 
our example here, we've been talking about doubling or tripling the 
size of his routing tables.

> Networks are not planned; networks grow (or shrink or divide) under
> the influence of things other than networking.  People trying to plan
> networks have never been any better at predicting the future than
> anyone else.

Layer 8 issues have their place, but if you're a smart network manager, 
you'll work within them to ensure you don't either create a network 
that's difficult to maintain or introduce proprietary solutions that 
don't interoperate when perfectly good interoperable solutions exist.

--
Jason Costomiris <><
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.