North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: dsl providers that will route /24
- From: David Schwartz
- Date: Fri Mar 30 03:16:39 2001
> > Subject: RE: dsl providers that will route /24
> > That definition, if you really mean it, would make nearly
> > every packet on
> > the Internet spoofed. Sooner or later, pretty much every packet winds
> > up
> > coming into a router with a source not assigned to the customer
> > on the other
> > end of that link.
> think edge man, EDGE!
This 'edge' is potentially mythical. Most circuts go to both machines and
customers. Ultimately, the edge is the source machine.
> > I prefer a much more useful definition of "spoofed". A
> > packet is said to be
> > spoofed if it is introduced onto the Internet and originated on
> > a machine
> > whose administration has not been assigned that IP address for
> > use on the
> > Internet.
> And that's different from my definition, how? You say "machine", I say
> "link". Which part of that picture does the average ISP have control
Well that's the problem. Further up the line, you can't tell where a packet
> > I'd love to hear your explanation of why a unidirectional VPN is a
> > configuration error.
> Your VPN is tunnelled and encrypted, no?
> (BTW, "unidirectional VPN" is an oxymoron -- a net does not go one way)
'Unidirectional VPN' is not an oxymoron. A VPN emulates a private pipe by
using a public network. A unidirectional VPN emulates a unidirectional
private pipe using a public network. Sometimes, that's all you need.
For example, suppose you have two offices that each have a /24 from
different ISPs. You have no private link between them. For some reason, you
need to have a machine at one location with an IP address from the 'wrong'
/24. What you'd like to have is a private network between them. Since you
don't have one, you use a virtual private network.
Obviously, inbound packets to this IP will arrive at the 'wrong' place, so
you need to tunnel them to the right place. However, outbound packets have
both source and destination addresses that are valid on the public Internet.
You could tunnel them, but that would result in increased bandwidth
consumption and gain you basically nothing.