On Tue, 12 Aug 2003 12:09:20 -0700 "Michel Py" <[EMAIL PROTECTED]> wrote:
> > Routing it over the Internet (without a VPN) for inter-entrerprise > communication would also be perfectly legitimate, host-to-host IPSEC for > example. Then the line between it and global PI ceases to exist. > I think a concern about a furture use of host-to-host IPSec and the consequences to local use addresses is quite valid. There are a number of reasons : 1) IPsec in IPv6 is *free*. Why bother getting a private WAN link when the QoS over the organisation's Internet link, when combined with IPsec, is good enough ? 2) Scaling to large numbers of IPsec tunnels encounters the same problem that scaling over IP over ATM encountered - the overlay network problem. 3) The solution to the overlay network problem in IPsec is to use transport mode. Transport mode doesn't work with private addressing though. 4) I'm not in touch with recent IPsec / DNSSEC developments, but the only thing I'm aware of that is missing for easy end-to-end transport mode deployment is widely available opportunistic SA establishment. I wrote a _long_ email describing this I while ago. I appreciate it may have been too long for people to read - I blame it on the fact that I learnt to type properly a number of years ago. I'm trying to learn to be more consise. If you are interested to read further, here is an archive copy : http://marc.theaimsgroup.com/?l=ipng&m=103847657209894&w=2 When you add HIP (from what I understand of it) into the mix, you end up spliting the locator and identifier, which I think also makes the multihoming problem easier to fix. Regards, Mark. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
