[135254] in North American Network Operators' Group
Re: Routing Suggestions
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jan 18 20:32:18 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <201101190054.p0J0sxBF081763@mail.r-bonomi.com>
Date: Tue, 18 Jan 2011 17:26:26 -0800
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 18, 2011, at 4:54 PM, Robert Bonomi wrote:
>=20
>> Date: Fri, 14 Jan 2011 01:50:40 -0800
>> From: Randy Bush <randy@psg.com>
>> Subject: Re: Routing Suggestions
>>=20
>> i'm with jon and the static crew. brutal but simple.
>>=20
>> if you want no leakage, A can filter the prefix from it's upstreams, =
both=20
>> can low-pref blackhole it, ...
>>=20
>=20
> One late comment --
>=20
> OP stated that the companies were exchanging 'sensitive' traffic. I =
suspect
> that they di *NOT* want this traffic to route over the public internet =
-if-
> he private point-to-point link goes down. if they're running any sort =
of a
> dynamic/active routing protocol then -that- route is going to =
disappear=20
> if/*WHEN* the private link goes down, and the packets will be subject =
to
> whatever other routing rules -- e.g. a 'default' route -- are in =
place.=20
>=20
> This would seem to be a compelling reason to use a static route -- =
insuring
> that traffic _fails_ to route, instead of failing over to a public =
internet
> route, in the event of a link failure.
>=20
>=20
That's why I always prefer to put this traffic inside an IPSEC VPN. =
Then,
you gain the advantage of being able to let the internet serve as a =
backup
for your preferred private path while still protecting your sensitive =
information.
Then I use dynamic routing and take advantage of the diverse path =
capabilities.
Owen
