[134592] in North American Network Operators' Group
Re: asymmetric routes/security concerns/Fortinet
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Fri Jan 7 14:29:06 2011
Date: Fri, 7 Jan 2011 10:31:57 -0500 (EST)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: "nanog@nanog.org list" <nanog@nanog.org>
In-Reply-To: <DDDFE07B-1F70-4CB8-A470-8189ACBFDCBA@oicr.on.ca>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---1463794431-1286409096-1294414317=:31363
Content-Type: TEXT/PLAIN; charset=Windows-1252; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
> The admins at this university claim this is by design and for security=
=20
> reasons.. My response was the entire internet is asymmetrical and=20
> while this may of been a legitimate concern in the 90's, I don't think=
=20
> its a real concern anymore if things are set up correctly. They=20
> suggested we add static routes to our equipment to address this=85 This=
=20
> seems like a bad idea and I am not comfortable adjusting my routing=20
> table to address one site's issues on the internet due to their (not=20
> ours) routing/security policies.
Working in a university environment like you, we do have connectivity to=20
some of those high-speed R&E networks, and or routing policy generally=20
prefers to use those paths if they are available, for reasons of=20
performance (offloading traffic from more traditional transit paths)=20
and cost/cost avoidance, as others have mentioned. Asymmetric routing is=
=20
always a possibility between two multi-homed networks. I still=20
occasionally have to wrestle with the notion that many people have that=20
asymmetric routing is bad...
If the organization at the far end is doing stateful firewalling at the=20
borders of their multi-homed network, then they are probably accustomed to=
=20
things 'just breaking' more often then they're willing to admit ;)
jms
---1463794431-1286409096-1294414317=:31363--
