ecrit@ietf.org
[Top] [All Lists]

RE: [Ecrit]EmergencyContextRoutingofInternetTechnologies-ArchitectureCon

Subject: RE: [Ecrit]EmergencyContextRoutingofInternetTechnologies-ArchitectureConsiderations
From: "Winterbottom, James"
Date: Mon, 12 Sep 2005 16:25:51 -0500
John

This is simply not true!
The view was always that you got a location or a locationURI prior to
tunnel establishment, if you have a location aware client. So I simply
don't see your argument here. The split tunneling issue has nothing
whatsoever to do with HELD, it is imply a statement that local traffic
should be kept, where possible, local. 

There are several other concerns I have with your arguments to Martin's
response, and we will get to those later today.

Cheers
James

> 
> The problem with VPNs is for designs such as HELD that assume the IP
> address of the host enables determination of the location.  When it
was
> pointed out that the host's IP address is assigned by the enterprise
> end of the VPN tunnel, which is potentially very far from the
> tele-worker, a proposal was made that the host use its original (not
> tunnel) address when attempting an emergency call.  It is the implied
> need for split-tunnel that exposes the original IP source address that
> leads to the security problem: host both inside and outside the
> enterprise security perimeter.
> 
> John
> 
> On Sep 12, 2005, at 11:13 AM, Stastny Richard wrote:
> 
> > Maybe I do not understand the problem with VPNs fully,
> > but IMHO if you use a VPN you must first attach to the local
> > network to get the local IP connection to set up the VPN.
> > Doing so you get an IP address via DHCP and you also may
> > get the location. Now you have the location stored somewhere
> > on the device.
> >
> > If you now set up the VPN, you get a new IP address from home
> > network, but you still have the location stored and can retrieve it.
> >
> > There is only one requirement left for the home network: you need
> > an access to the mapping database and you also need to be able to
> > set up a SIP connection to the PSAP, even if the home networks
> > does not allow general access to the Internet.
> >
> > I do not see a security problem here.
> >
> > Richard
> > ________________________________
> >
> > Von: ecrit-bounces@xxxxxxxx im Auftrag von John Rosenberg
> >
> > Have to agree with John here. As one data point, our own corporate
VPN
> > does
> > not allow split tunneling, and our IT folks are *very* clear that
even
> > connecting a PC that's on the VPN to another network (e.g. the
public
> > internet) is prohibited. I would think that this is the rule rather
> > than
> > the exception.
> 
> _______________________________________________
> Ecrit mailing list
> Ecrit@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/ecrit

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]

_______________________________________________
Ecrit mailing list
Ecrit@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ecrit

<Prev in Thread] Current Thread [Next in Thread>