[52636] in North American Network Operators' Group
Re: iBGP next hop and multi-access media
daemon@ATHENA.MIT.EDU (David Schwartz)
Mon Oct 7 16:04:56 2002
From: David Schwartz <davids@webmaster.com>
To: <Valdis.Kletnieks@vt.edu>, Pete Templin <templin@urdirect.net>
Cc: "nanog@merit.edu" <nanog@merit.edu>
Date: Mon, 7 Oct 2002 13:02:28 -0700
In-Reply-To: <200210071937.g97JbGdd009299@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 07 Oct 2002 15:37:16 -0400, Valdis.Kletnieks@vt.edu=
wrote:
>I suppose they *could* - the fun then starts when you get a=
routing flap and
>the other router tells you that you're not on one subnet because=
the subnet
>is unreachable and would you please remove the interface? And=
I'm willing
>to bet that there's a lack of MD5 at the important places in the=
dataflow...
>;)
>What's puzzling me is how anybody has a big enough net that=
subnets are
being
>added fast enough that automating the process is needed, but=
they don't
>already
>have a way to centrally manage the routers so they can just push=
the needed
>'ip route 172.16.16.0 255.255.255.0 fa0/0' out somehow.
=09And even so, many of us have learned in very painful ways that=
running more
than one IP subnet on the same physical network can get you into=
trouble very
quickly. For a small SOHO network, fine, but then you usually=
don't use
dynamic routing protocols anyway.
=09Here's just a small sampling of what can go wrong:
=091) A broadcast storm cripples all your subnets and slows some of=
your
machines to a crawl.
=092) A compromise on a machine leads to ARP mischief (such as=
theft of another
subnet's default gateway IP), leading to TCP hijacking, password=
theft, or
worse.
=093) A DoS attack causes one machine to be completely knocked out=
(locks up,
or reboots but fails to come back on after shutting itself off,=
or locks in
an fsck in single user mode or some such). The DoS attack=
continues until the
switch's table entry for that hardware address epires. Now the=
DoS attack
pops out every port on every machine.
=09And on, and on, and on. You want as few machines as possible on=
a single
Ethernet LAN because Ethernet has no protection against various=
types of
subterfuge.
=09DS
