On Dec 4, 2011, at 2:26 PM, Joel jaeggli wrote: > It's not a question of starting. outside of some small number of > developed economies mobile carriers and a number of wireline providers > were always depolyed that way, or out of squat space however bad an idea > that may have been. OK, yeah "started" is not a good word. It's been that way for a good while. > the vpn connection is going to work, it's being established against a > public endpoint. the risk for a collision between the resulting routing > tables is scoped to the netmask of that outside interface. Nope. The VPN transport layer connection works of course - the resulting internal routes learned inside it break. Obviously if the netmask/subnets work out right you're ok. But that's the rub - how do we know what they could be? This isn't just some simple model of a single corporate 10.x.x.x subnet you're reaching through a VPN; big/medium companies have multiple internal private networks, including labs and remote branches and such. > enterprises have a lot of experience with this, it's a necessary > consequence of supporting mobile users whether they are wireless or in > hotels. And it actually breaks in practice. I'm not speaking of hypotheticals - it's happened to me, at more than one employer. I don't disagree similar problems happen in hotel networks (that's happened to me too, at an IETF meeting hotel years ago if I recall right)... but do we want to say the ISPs have to use a hotel model of "click this and pay more for a VPN-capable connection" instead of allocating them a /10? [note: I realize hotels do this to also make legacy unencapsulated IPsec vpn's work, but I'm not talking about that] -hadriel _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf