nanog mailing list archives
Re: Restrictions on Ethernet L2 circuits?
From: "A.B. Jr." <skandor () gmail com>
Date: Fri, 1 Jan 2010 13:03:54 -0200
Linen,
As far as I'm concerned, enterprises should just connect their various
sites to the Internet independently, and use VPN
techniques if and where necessary to provide the illusion of a unified
network. In practice, this illusion of a single
large LAN (or rather, multiple organization-wide LANs) is very important
to the typical enterprise, because so much
security policy is enforced based on IP addresses. And the typical
enterprise wants a central chokepoint that all traffic > must go through, for reasons that might have to do with security, or support costs, or with (illusions of) control. Most security policies are also based on 'local" vs "remote" criteria. Most pieces of software believe that an access to a local IP is faster and safer than accesses to an IP address somewhere else. Emulate means lying to someone, and if you start lying too much you can end up messing everything. I agree that enterprises should use WANs as WANS (i.e., IP routed networks) and don't try to hide distance and security fragility from systems and security appliances. End to end VPN can be used in the very special cases where a special security is needed, by means of strong VPN encryption. It seems nice to have something that looks like a simple Ethernet cable. The problem is that it is *not* a simple cable, and will never be. Make the rest of the LAN believe that it is such a simple cable may raise huge trouble. Most of LAN protocols have a degree of TRUST on LAN traffic. Any security expert will tell you that trust is your enemy. Managing a router is a hassle? Oh, come on! If a net admin is unable to manage a simple sub net configuration and so some simple math with masks and prefixes he would rather find himself another job. Take care, A.B. Jr.
Current thread:
- Re: Restrictions on Ethernet L2 circuits? A.B. Jr. (Jan 01)
- <Possible follow-ups>
- RE: Restrictions on Ethernet L2 circuits? Endresen Even (Jan 01)