[134587] in North American Network Operators' Group
asymmetric routes/security concerns/Fortinet
daemon@ATHENA.MIT.EDU (Greg Whynott)
Fri Jan 7 12:40:39 2011
From: Greg Whynott <Greg.Whynott@oicr.on.ca>
To: "nanog@nanog.org list" <nanog@nanog.org>
Date: Fri, 7 Jan 2011 12:40:32 -0500
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hello,
we have multiple internet connections of which one is a research network wh=
ere many medical institutions and universities are also connected to threw =
out the country. This research network (ORION) also has internet access bu=
t is not meant to be used as a primary path to the internet by its customer=
s. Connected to the ORION network are many sites we exchange email with=
daily who also have multiple internet connections. One of these sites is=
not reachable by us. After investigating, it was discovered this site i=
s dropping our connections as the path back to use would use a different in=
terface on the firewall ( a Fortinet device) than that which it arrived upo=
n.
The admins at this university claim this is by design and for security reas=
ons.. My response was the entire internet is asymmetrical and while this =
may of been a legitimate concern in the 90's, I don't think its a real con=
cern anymore if things are set up correctly. They suggested we add static =
routes to our equipment to address this=85 This seems like a bad idea and =
I am not comfortable adjusting my routing table to address one site's issue=
s on the internet due to their (not ours) routing/security policies.
am I correct here? any comments on this would be greatly appreciated as I'=
ll be called into a meeting to discuss this further (they are digging in th=
eir heals in on this, and higher ups are getting involved now). I'd like =
to arm myself with a few perspectives.
thanks very much for your time again,
greg
--
This message and any attachments may contain confidential and/or privileged=
information for the sole use of the intended recipient. Any review or dist=
ribution by anyone other than the person for whom it was originally intende=
d is strictly prohibited. If you have received this message in error, pleas=
e contact the sender and delete all copies. Opinions, conclusions or other =
information contained in this message may not be that of the organization.
