[Outages-discussion] [outages] DHCP being dropped by Lumen?

Blake Hudson blake at ispn.net
Fri Jun 10 15:58:46 EDT 2022 

Because a lot of it, for us anyway, is not within an organization. It's 
inter-organization (as we provide DHCP and DNS for clients). Why would 
one add VPN endpoints that will act as another point of failure? An 
additional point of complexity? an additional piece of equipment to 
maintain, update, power, etc? If one decided to update their VPN 
endpoint or switch to another vendor, would they require that every 
client replace their VPN at the same time? Would one, instead, stick 
themselves with the burden of purchasing, managing, and maintaining 
hundreds of remote VPN endpoints in locations they may have no access to?

If you have a VPN in place already for another application, sure. Use 
it. But for those who don't need a VPN, why would one choose to take on 
the above burdens for the sole purpose of obfuscating the contents of 
DHCP packets from the eyes of tier1/2 carriers? One's MAC address and IP 
address are not exactly the most sensitive info.


On 6/9/2022 11:26 AM, Bruce Wainer wrote:
> I agree with Grant. Just like we’re run centralized DHCP and DNS for a 
> decade, we’ve run DMVPN and are now moving to SDWAN. If your 
> organization isn’t large enough for those types of automatic 
> VPN/tunnel building, manually creating VPNs back to your central 
> datacenter is probably something you’re going to do anyway for 
> internal server access, so why not send the DHCP through that as well?
>
> On Thursday, June 9, 2022, Grant Taylor <gtaylor at tnetconsulting.net> 
> wrote:
>
>     On 6/9/22 7:19 AM, Blake Hudson wrote:
>
>         We've used DHCP relay/helper across WAN connections for over a
>         decade without issue. Sometimes it doesn't make sense to have
>         a DHCP (or DNS or RADIUS) server on-site.
>
>         As others have stated, unicast DHCP is no different than any
>         other unicast packet.
>
>
>     I understand all the above.
>
>     What I'm not yet sure of is why you would not run such
>     site-to-site traffic through a VPN.
>
>     It seems to me like DHCP, DNS, RADIUS, etc. would benefit from
>     staying within the control of a common administrative entity. As
>     such, it seems logical to use a VPN between two distant pockets of
>     said administrative entity.
>
>     I'm just trying to understand what / why others are thinking and
>     learn therefrom.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages-discussion/attachments/20220610/35bccb47/attachment.htm>

More information about the Outages-discussion mailing list