[asterisk-biz] Re: Verizon Interconnection

Asterisk asterisk at widevoip.com
Sat Jun 9 09:32:59 MST 2007 

Hello
 
many companies like Daimler Chrisler are using IP from public class but are
only routed inside their private network
they bought many years ago /16 space IP's and still use it as it was the way
to do before
 
using public addresses for internal use is wasting IP's, but i don't see any
specific problem for routing
all border routers are doing very simple firewalling (most of the time only
ACL)
if you have been assigned public IP's, i advise you to do antispoofing on
your border routers or gateways
to avoid incoming packets from internet with your IP's
 
also, ISP are dedicating IP from their IP plan only for securing the
administration of all equipment
and using a VPN over public IP space like described for Verizon make easier
managing a lot of tunnels
with different customers
 
just to explain, if you are using standard IPSEC with presahred connected to
same VPN concentrator
how are you going to manage two users with same local IP adress space
 
for example:
 
verizon internal = 10.1.1.0/24 <-> IPSEC <-> customer 1 internal =
10.1.2.0/24
 
and you start business with them and your internal network is 10.1.2.0/24
 
do you think verizon wil change on his side, i think you'll have to do it
and it can be a mess
 
best regards
 
thierry
 


  _____  

De : asterisk-biz-bounces at lists.digium.com
[mailto:asterisk-biz-bounces at lists.digium.com] De la part de Matt
Envoyé : samedi 9 juin 2007 14:08
À : Commercial and Business-Oriented Asterisk Discussion
Objet : Re: [asterisk-biz] Re: Verizon Interconnection


Christopher,
I understand exactly what you are saying.... but let's think about this for
a moment.

If the networks we are stitching together have all public IPs, then either
one of two things is happening.

1 - You can't access the IPs from the Internet, so they aren't really
public....they are from the public pool, and are depleting the limited
supply for IPs, but they aren't public, therefore they should be private
IPs. 

2 - You can access the IPs from the Internet, therefore, there is no need
for a VPN.

You should never never never NEVER use public IPs behind a firewall (unless
they can be accessed from the Internet).   To put a public IP behind a
firewall where it can't be accessed is a waste of IP space, and asking for
routing problems. 


On 6/9/07, Christopher LILJENSTOLPE <cdl at asgaard.org> wrote: 

Ahh - I have to disagree here.  A VPN makes a virtual connection
between two networks.  The state of those networks is entirely up to
the people who run the networks.  I know of a LOT of cases where
people use VPNs to tunnel puddles of networks over the public 
infrastructure to stitch a single AS together, for example.

As far as 1918 vs. globally unique address space, there are many
"public" and "private" networks that use the later.  Anyone planning 
on using 1918 space for VoIP infrastructure that is going to connect
to external entities is not really thinking things through (or
believe that SBC's will make everything painless).  To quote Randy
Bush... 

        Chris

On Jun 8, 2007, at 23.30 , Matt wrote:

> I'm not sure what the problem is. You use public IP, you use IPSEC,
> static
> route VZ IPs down the tunnel. No problem.
> 
> Right there is no problem, now.   As everyone else in this thread
> has said (for the most part).  It works once you understand what
> Verizon is trying to do, however prior to that their IPSEC layout 
> is rather confusing.  IE  *normally* a VPN connects two PRIVATE
> networks togethor... not two PUBLIC networks.
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-biz
<http://lists.digium.com/mailman/listinfo/asterisk-biz> 

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit: 
   http://lists.digium.com/mailman/listinfo/asterisk-biz



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20070609/2c9b2e24/attachment.htm

More information about the asterisk-biz mailing list