RE: [address-policy-wg] Renumbering sites (Was: Just say *NO* to PI space -- or how to make it lessdestructive)

[Jørgen Hovland jorgen@localhost]

Pardon me for saying, but all of this is bollocks. Renumbering is as easy as
you want it to be. Make a proper policy and then create the tools for it. It
is that easy. I am sure we can discuss poorly designed solutions any (other)
time.

I support proposal 2006-01.

j

-----Original Message-----
From: address-policy-wg-admin@localhost
[
	    
	    
] On Behalf Of Michel Py
Sent: 25. april 2006 17:44
To: Jeroen Massar
Subject: RE: [address-policy-wg] Renumbering sites (Was: Just say *NO* to PI
space -- or how to make it lessdestructive)

> Wilfried Woeber wrote:
> Why does the laptop store the *addresses* instead of an (FQ)DN?

Mine is configured that way because I want to be able to get in remotely
in case of a DNS failure so I can fix the DNS :-D

Other reason: VPNs based on FQDNs have a tendency to timeout, especially
at the first attempt from a remote location (because the FQDN is not
cached and has to go up to the root). Also DNS requests go over UDP,
which is unreliable. It happens all the time that Joe Blow traveling
somewhere reports the next day that he could not check his email or
download the sales report because the VPN was not working (because Joe
either is not smart enough to retry or finds it a good excuse to go to
the bar instead). Next time he goes out the VPN is configured with the
hardcoded IP address of the VPN server.

In the end, it does not matter why. It's out there, and has to be dealt
with.


> Jeroen Massar wrote:
> Renumbering is *NOT* simple and *CAN't* be automated (no remote
> company will allow you full automatic access to change things in
> their setup, think firewall rules for instance...)

Indeed. Even if they did, it would be logistically impossible. I'm
currently configuring an IPSEC tunnel going to a very large corporation.
There are thousands of tunnels, configured on every router brand and
model man has ever made; each is unique. An automated tool to change
this is not in the realm of possible.

This leaves the large company with having to deal with thousands of
different people with issues such as half of the techs that originally
configured the thing are no longer there, nobody remembers the router's
password, etc.
 
Renumbering any sizeable organization is _always_ a very costly
proposition. It requires allocating valuable resources for weeks to
prepare and more to carry. Plus, in any renumbering I have done some
issues popped out for weeks after the renumbering. Renumbering generates
a steady flow of trouble tickets that require more resources to deal
with _and_ make the network guys look like idiots.

Only rookies that have never been in the trenches in the real world
consider renumbering easy. Most of the more experienced network managers
out there will tell you this: I don't want to go through this again.

Michel.