[134590] in North American Network Operators' Group
Re: asymmetric routes/security concerns/Fortinet
daemon@ATHENA.MIT.EDU (Greg Whynott)
Fri Jan 7 13:56:10 2011
From: Greg Whynott <Greg.Whynott@oicr.on.ca>
To: John Kristoff <jtk@cymru.com>
Date: Fri, 7 Jan 2011 13:56:00 -0500
In-Reply-To: <20110107121509.331415d6@t61p>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks John for your input.
You are correct, ORION is a dedicated high speed research network.
Based on the fact that we access ORION via one of our ISPs (3rd party, we =
don't BGP/directly peer with ORION), I'm not sure if i can use this solut=
ion here. I could do that for the routes learned from that ISP, but we r=
eceive the entire internet routing table from them=85 I'd have to understa=
nd things more before I went down that road. perhaps I shouldn't be accept=
ing the full table from them.
the localpref is something I'll look at, thanks for that. I'm not a BGP =
expert by any stretch, and our requirements here are "simple". we are not=
a transit. I've only attempted to make the config safe, not efficient.
i'd like to hear what you have to say about the original question, is the=
re good reason in this day and age to drop traffic as described in the orig=
inal post in your opinion?
-g
On Jan 7, 2011, at 1:15 PM, John Kristoff wrote:
> On Fri, 7 Jan 2011 12:40:32 -0500
> Greg Whynott <Greg.Whynott@oicr.on.ca> wrote:
>
>> we have multiple internet connections of which one is a research
>> network where many medical institutions and universities are also
>> connected to threw out the country. This research network (ORION)
>> also has internet access but is not meant to be used as a primary
>> path to the internet by its customers. Connected to the ORION
>> network are many sites we exchange email with daily who also have
>> multiple internet connections. One of these sites is not reachable
>> by us. After investigating, it was discovered this site is
>> dropping our connections as the path back to use would use a
>> different interface on the firewall ( a Fortinet device) than that
>> which it arrived upon.
>
> Correct me if I'm wrong, I'm not very familiar with ORION, but if it's
> like some of the research networks in the U.S. have been built in the
> past, ORION is dedicated high speed, low latency network that
> interconnects research institutions together. The way these are often
> used is that you localpref routes you learn from ORION participants so
> that traffic between each of you goes over the research network. You'd
> typically want this since the performance is good and there is plenty of
> capacity available, but it is also paid for, probably through some
> research grant, helping to reduce the use and expense of your commercial
> transit.
>
> You should be sending your traffic to them via ORION and they
> likewise. However, if that path is down, then it would make sense for
> it to go via another route. Hence, asymmetry may happen.
>
> Are you not sending the traffic via ORION? If so, then I'd suggest you
> both have something to fix. :-)
>
> John
--
This message and any attachments may contain confidential and/or privileged=
information for the sole use of the intended recipient. Any review or dist=
ribution by anyone other than the person for whom it was originally intende=
d is strictly prohibited. If you have received this message in error, pleas=
e contact the sender and delete all copies. Opinions, conclusions or other =
information contained in this message may not be that of the organization.
