<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Feature Request: IP address enforcement
From: Olaf Titz <olaf,AT,bigred,DOT,inka,DOT,de>
Date: Thu, 11 Jan 2001 15:10:44 +0100
In-reply-to: <20010111202024.A3936@trimble.co.nz>

> pppd and commercial VPN servers allow you tell force the client to defer to
> the server for their IP addresses. If you are wanting random people
> connecting to your LAN via VPN, the last thing you want is them to be
> assigning themselves your primary Web server as their own IP address! :-)

You don't want _random_ people to connect to your LAN anyway ;-)

With static configuration (i.e. all officially released CIPE
versions), this is not much of an issue because _both_ ends have to be
told the addresses. I.e. in a client-server-like setup, the server
will have the right ptpaddr (and thus at least a client with a bogus
ipaddr won't be able to divert traffic from the LAN, unless routing
protocols are involved).

Nonetheless, I've already thought of a client-server setup where the
client gets its address from the server. I'm planning to make this
possible with PKCIPE in a later version. Then it will be possible for
one end to tell the other configuration options (including IP
addresses, but also things like MTU or maxerr) in the style of
you MUST use this option
you CANT use this option
I WILL use this option
etc.

> #VPN client
> ipaddr    server_assigned
>
> #VPN server
> ptpaddr   192.168.1.1-100 #assign next free address in range

You really don't want dynamic addresses in this situation. One of the
big advantages of VPNs is that you have enough address space at your
hand to not need this abomination. But assigning an address to the
client by the server is OK, because then you can run the client with
next to no configuration.

Olaf





<< | Thread Index | >> ]    [ << | Date Index | >> ]