[134598] in North American Network Operators' Group
Re: asymmetric routes/security concerns/Fortinet
daemon@ATHENA.MIT.EDU (Greg Whynott)
Fri Jan 7 15:13:58 2011
From: Greg Whynott <Greg.Whynott@oicr.on.ca>
To: Ken Chase <ken@sizone.org>
Date: Fri, 7 Jan 2011 15:13:02 -0500
In-Reply-To: <20110107193757.GP12836@sizone.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks Ken,
Some good stuff there, thanks.
Since my original email, i think i've come up with a partial solution not =
requiring the far end's involvement. If not, at least it would get us =
into a better position to utilize the ORION network when possible. We pee=
r over a L2 tunnel with a router down in the states threw one of our ISP's =
10G links, I'm going to see if ORION will do the same with us. This would=
allow us to establish a BGP session directly with the ORION router, then =
I could use the localpref options, which may help.
this problem is intermitting, most of the time things are fine. doing t=
he above isn't going to help if path/route conditions change, but at least=
we'll have done all we could within reason and have a proper config.
I didn't consider the reasons you mentioned related to 'fail fast', that do=
es make a lot of sense. this is not the reason they claim this policy is =
in place, it is for security reasons.
we access ORION via GTAnet, they are within/part of/something to do with t=
he UoT, and we are across the street.
take care,
greg
@Anthony Pardini <tony@pardini.org>
On Jan 7, 2011, at 2:45 PM, Anthony Pardini wrote:
> Firewalls aren't routers and pretty much all of them
> behave in the similar manner.
oh! thanks. 8)
On Jan 7, 2011, at 2:37 PM, Ken Chase wrote:
>
> It sounds like the target site has a possible misconfiguration if this is=
a
> long term issue. If they're using the open internet to get back to you an=
d not
> ORION (when your packets arrived from ORION-based connection), then somet=
hing
> is misconfigured or down. The problem is a conflict in the way BGP works =
and
> how people assume it works :) BGP is designed to get packets to where the=
y
> want to go, not drop them if they're going the wrong way.
--
This message and any attachments may contain confidential and/or privileged=
information for the sole use of the intended recipient. Any review or dist=
ribution by anyone other than the person for whom it was originally intende=
d is strictly prohibited. If you have received this message in error, pleas=
e contact the sender and delete all copies. Opinions, conclusions or other =
information contained in this message may not be that of the organization.
