uses for VPN?

Ted Mittelstaedt tedm at ipinc.net
Mon Nov 21 03:14:07 CET 2011


On 11/20/2011 9:02 AM, Ivan Shmakov wrote:
>>>>>> Geoff Huston<gih at apnic.net>  writes:
>>>>>> On 17/11/2011, at 2:07 AM, John Payne wrote:
>>>>>> On Nov 16, 2011, at 4:26 AM, Ted Mittelstaedt<tedm at ipinc.net>  wrote:
>
>   >>>  Remember, under IPv6 there is no NATTing so no need for VPNs.
>
>   >>  This I haven't heard before. I'm astounded that you would think that
>   >>  VPNs only exist because of NAT.
>
>   >  If you regard VPNs within a very limited context as the use of
>   >  tunnelling to allow one address context to form an overlay across a
>   >  different address context, then I think that the point is being made
>   >  that there is the possibility that in IPv6 we would all use a single
>   >  address context and there would be no a priori requirement to tunnel
>   >  IPv6 in IPv6, hence "no need for VPNs".
>
>   >  I also think that such a view is somewhat disconnected with today's
>   >  reality, where I observe a general perception that overlay tunnel
>   >  networks in the guise of VPNs offer various degrees of superior
>   >  security, control and flexibility.
>
> 	Given this one a bit of thought, I've tried to imagine where
> 	VPN's would still be useful in a “more or less perfect” world.
>
> 	So far, I see that VPN's could be an access control mechanism
> 	only if the software one wishes to control access has no way to
> 	discern between the clients with different permissions other
> 	than by the means of their respective IP addresses.  (While,
> 	arguably, Kerberos is much more flexible.)
>
> 	Then, however, I see that there're networks with poorly managed
> 	hosts.  E. g., there may be personal systems of employees
> 	connected to the organization's network (especially given that
> 	all the sorts of mobile computers are now an ubiquity.)  There,
> 	the employees may, for security reasons, prefer that the
> 	connection to the organization's network doesn't necessarily
> 	imply the connection to the outer Internet.  (Other than by an
> 	application-level proxy.)
>
> 	There, it becomes necessary for the router to discern between
> 	the globally- and locally-connected systems.
>
> 	The only solution for this kind of problem that I have in my
> 	mind is indeed the use of NAT.  And I'm curious if there're
> 	anything else to consider?
>


LAN 2 LAN VPN's will still be required under IPv6.  A great many sites
will still follow the model of "hard exterior, soft and chewy interior"
and have internal networks of easily compromised hosts.

One of our customers for example has NO service-packed Windows servers
on it's inside network.  Why?  Because the software they use - all
niche market medical stuff - is not certified by the vendors to run 
under anything other than the original Windows Server loads.  They use 
older versions of Java, they run software that uses custom-modified DLLs 
in the Microsoft JET engine, the list goes on and on.

This site has a main office and satellite offices all connected together
with VPN's.

They are not allowed under Federal law to send unencrypted traffic in
between the satellites and the main office over the Internet because it 
carries patient data.  And none of their applications encrypt data.


Ted

> […]
>




More information about the ipv6-ops mailing list