uses for VPN?

Ivan Shmakov oneingray at
Sun Nov 20 18:02:04 CET 2011

>>>>> Geoff Huston <gih at> writes:
>>>>> On 17/11/2011, at 2:07 AM, John Payne wrote:
>>>>> On Nov 16, 2011, at 4:26 AM, Ted Mittelstaedt <tedm at> wrote:

 >>> Remember, under IPv6 there is no NATTing so no need for VPNs.

 >> This I haven't heard before. I'm astounded that you would think that
 >> VPNs only exist because of NAT.

 > If you regard VPNs within a very limited context as the use of
 > tunnelling to allow one address context to form an overlay across a
 > different address context, then I think that the point is being made
 > that there is the possibility that in IPv6 we would all use a single
 > address context and there would be no a priori requirement to tunnel
 > IPv6 in IPv6, hence "no need for VPNs".

 > I also think that such a view is somewhat disconnected with today's
 > reality, where I observe a general perception that overlay tunnel
 > networks in the guise of VPNs offer various degrees of superior
 > security, control and flexibility.

	Given this one a bit of thought, I've tried to imagine where
	VPN's would still be useful in a “more or less perfect” world.

	So far, I see that VPN's could be an access control mechanism
	only if the software one wishes to control access has no way to
	discern between the clients with different permissions other
	than by the means of their respective IP addresses.  (While,
	arguably, Kerberos is much more flexible.)

	Then, however, I see that there're networks with poorly managed
	hosts.  E. g., there may be personal systems of employees
	connected to the organization's network (especially given that
	all the sorts of mobile computers are now an ubiquity.)  There,
	the employees may, for security reasons, prefer that the
	connection to the organization's network doesn't necessarily
	imply the connection to the outer Internet.  (Other than by an
	application-level proxy.)

	There, it becomes necessary for the router to discern between
	the globally- and locally-connected systems.

	The only solution for this kind of problem that I have in my
	mind is indeed the use of NAT.  And I'm curious if there're
	anything else to consider?


FSF associate member #7257
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
Url : 

More information about the ipv6-ops mailing list