[80361] in North American Network Operators' Group
Re: Sinkhole Architecture
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Fri Apr 29 09:37:16 2005
Date: Fri, 29 Apr 2005 13:34:19 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <p06110410be97d1386539@[192.168.0.2]>
To: "Howard C. Berkowitz" <hcb@gettcomm.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:
>
> I've seen some Cisco security presentations that include sinkholes
> composed of an ingress and egress router, interconnected with a
> switch. The switch provides access for tools such as packet
> analyzers, IDS, routing analyzers, etc. The multiple routers also
> provide more horsepower for inspection, filtering, and
> overhead-imposing measurements such as NetFlow.
the multiple routers could just be a way to get a MAC to the ingress
router for delivery over the ethernet... a sun/linux/bsd/*unix box might
provide the same function. (please logging, analysis, ids, flow
collection)
>
> I am unclear about the BGP relationship between the two routers,
> which are meant to be treated as one subsystem. The ingress router
> (with respect to the outside) clearly has to have its BGP isolated
> from the rest of the AS, so it can't be part of the iBGP mesh.
>
why can't it be part of the ibgp mesh? I'm not sure I see why that would
be BAD, aside from it bouncing under load and affecting all ibgp
neighbors... so, aside from route-churn and neighbor setup/teardown churn
what other reasons?
