Re: [External] DMVPN via Internet or Private APN

[Hunter Fuller via NANOG <nanog () nanog org>]

I probably would not choose the Private APN. I get the appeal, but I
would probably use router ACLs to restrict traffic only to other
endpoints in the VPN mesh. Exploits/methods that could get around this
are few and far between, and the benefits are numerous, namely, you
aren't tied to one cell provider, and you aren't even tied to the
cellular medium (which might be important).

If, for some reason, being tied to one carrier was not any concern,
AND I had an amazingly good deal with my carrier on the APN, then my
opinion might change, but that just seems unlikely to me.

I do not think it is an excessive burden to remain on top of software
releases, such that, if there was some exploit that could breach the
ACL protection, you would be able to patch it very quickly. And since
it's just OOB, you can test it on three or four boxes, then just blast
the upgrade out to all of them at once using Ansible or whatever.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Jan 12, 2021 at 10:55 AM Sean Kelly <kellysp () gmail com> wrote:
> Hello Nanog's
>
> I offer a question to help me settle an internal debate. As a network
> engineer for a large enterprise, do you choose ISP flexibility or ISP
> security when you build an OOB network? I was tasked to create an OOB
> network for my company. Realistically it would only be deployed to 25%
> of the companies sites as they are considered important enough to
> justify the cost. The design is simple enough. Hub and spoke using
> cellular routers. DMVPN will carry data from the spoke to the hub.
>
> The real debate arrives when it's time to choose a carrier to host the
> router. I choose to go with a major cell carrier using a "private"
> APN. It allows me to connect my cell routers to a private layer 2
> network and my private IP addresses will be used to provide layer 3
> connectivity. I know that there will be outliers that can't use this
> carrier or cellular at all. These outliers, in my opinion, shouldn't
> have a majority stake in the overall design. The APN overall cost is
> low and so is the data plan for the hosted routers. The private APN
> also eliminates the router as an internet attack vector. I don't
> believe routers are appropriate security appliances to defend and
> monitor against network threats.
>
> Some of my colleagues believe that the flexibility of public cellular
> access outweighs the security risks. The cellular internet will
> provide us with a solution for more of the outliers than a private
> APN. I don't agree with this philosophy even though it's not
> "technically" wrong. I am interested in a broader range of opinion and
> technical reasoning.
>
> Nanog member KELLYSP