Restrictions on Ethernet L2 circuits?

A.B. Jr. skandor at gmail.com
Fri Jan 1 09:03:54 CST 2010


Linen,

> As far as I'm concerned, enterprises should just connect their various
sites to the Internet independently, and use VPN

> techniques if and where necessary to provide the illusion of a unified
network.  In practice, this illusion of a single

> large LAN (or rather, multiple organization-wide LANs) is very important
to the typical enterprise, because so much

> security policy is enforced based on IP addresses.  And the typical
enterprise wants a central chokepoint that all traffic > must go through,
for reasons that might have to do with security, or support costs, or with
(illusions of) control.

Most security policies are also based on 'local" vs "remote" criteria. Most
pieces of software believe that an access to a local IP is faster and safer
than accesses to an IP address somewhere else.

Emulate means lying to someone, and if you start lying too much you can end
up messing everything. I agree that enterprises should use WANs as WANS
(i.e., IP routed networks) and don't try to hide distance and security
fragility from systems and security appliances. End to end VPN can be used
in the very special cases where a special security is needed, by means of
strong VPN encryption.

It seems nice to have something that looks like a simple Ethernet cable. The
problem is that it is *not* a simple cable, and will never be. Make the rest
of the LAN believe that it is such a simple cable may raise huge trouble.
Most of LAN protocols have a degree of TRUST on LAN traffic. Any security
expert will tell you that trust is your enemy.

 Managing a router is a hassle? Oh, come on! If a  net  admin is unable to
manage a simple sub net configuration and so some simple math with masks and
prefixes he would rather find himself another job.


Take care,


A.B. Jr.



More information about the NANOG mailing list