[ppml] Policy Proposal 2007-6 - Abandoned

On Wed, May 23, 2007 at 09:53:56PM -0400, Leo Bicknell wrote:
> I've been at several companies where each VPN is done with a /30
> between the companies, and a NAT on BOTH sides.

You can do that, perhaps, unless you can't.  A few protocols just won't
work (SIP is a notable example), and you need someone with a clue about
how to setup a NAT on each end.  That's not a given.  We have one
partner that put their senior network architect on the phone with us.
When we inquired about using BGP for dynamic routing, he said, and I'm
not making this up, "what's bgp?"  That's another Fortune 100 company.
For obvious reasons, I won't identify which one.

> However, I think the point several other posters made is important.  We
> renumber businesses we purchase all the time.  You need to have plans to
> renumber others and renumber yourself.  You need to invest in good DHCP
> tools, good DNS tools, and understand how to manage things like static
> IP'ed printers.  This is all true even if you're on 1918 space.
> Anything else is a business continuity risk.

That's absolutely true.  We can renumber *most* of our space very
quickly.  Unfortunately, the rest takes months, in the best case
scenario.  And we can't exactly dictate aggresive contract terms to
much larger companies that are paying a premium to use our services.

I really think people who think renumbering is easy don't work for
ASP-like companies.  There's a few specific challenges that make it a
thorny problem.  A large amount of embedded addresses in vpns and
customer-controlled ACLs are just a nightmare, especially when NAT
isn't an option.

-David