[118423] in North American Network Operators' Group
Re: ISP customer assignments
daemon@ATHENA.MIT.EDU (Ricky Beam)
Wed Oct 21 17:38:08 2009
To: NANOG <nanog@nanog.org>
Date: Wed, 21 Oct 2009 17:37:02 -0400
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <18a5e7cb0910201638j7a24a10dwb8440a42f8f9c49e@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 20 Oct 2009 19:38:58 -0400, Bill Stewart <nonobvious@gmail.com>
wrote:
> ... If you've got a VPN tunnel device, too often the remote
> end will want to contact you at some numerical IPv4 address and isn't
> smart enough to query DNS to get it.
As I was told by Cisco, that's a security "feature". Fixed VPN endpoints
are supposed to be *fixed* endpoints. Yes, it is a pain when an address
changes, for whatever reason. But relying on DNS to eventually get the
endpoint(s) right is an even bigger mess... how often is the name<->IP
updated? how often do the various DNS servers revalidate those records?
how often do the VPN devices revalidate the names? what happens when the
dns changes while the vpn is still up?
I'll stick with entering IP addresses.
--Ricky
