[163134] in North American Network Operators' Group
Re: High throughput bgp links using gentoo + stipped kernel
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Tue May 21 09:25:53 2013
Date: Tue, 21 May 2013 09:25:36 -0400 (EDT)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: NANOG <nanog@nanog.org>
In-Reply-To: <CAPhg-wTYYQbcZEV3x45LOQODPZozQkAcCaSd1GGh+XM2r9-25w@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, 20 May 2013, Phil Fagan wrote:
> Just curious and perhaps off topic a tad but; is the stateful filtering of
> sessions on a router to replace a firewall? Or is there another reason to
> do it? I could see a benefit of creating blacklists, however,
> I'm struggling with what other benefits it would provide...service
> aware load-balancing? I'm very interested to learn what other strategies
> and or design considerations would be made with thinking of using filtering
> on a router.
>
> I'm perfectly willing to accept consolidation of services :-)
Stateful firewalling is also painful in environments where path asymmetry
could exist, since either the routing policy would need to be designed to
enforce symmetry (more complex, less reliable), or the stateful
firewalling devices would need to have a way to share state information
with each other to accommodate asymmetry.
jms
