[80367] in North American Network Operators' Group
Re: Sinkhole Architecture
daemon@ATHENA.MIT.EDU (Howard C. Berkowitz)
Fri Apr 29 11:25:04 2005
In-Reply-To: <Pine.GSO.4.58.0504291329460.13686@sharpie.argfrp.us.uu.net>
Date: Fri, 29 Apr 2005 11:24:21 -0400
To: nanog@merit.edu
From: "Howard C. Berkowitz" <hcb@gettcomm.com>
Errors-To: owner-nanog@merit.edu
At 1:34 PM +0000 4/29/05, Christopher L. Morrow wrote:
>On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:
>
>>
>> I've seen some Cisco security presentations that include sinkholes
>> composed of an ingress and egress router, interconnected with a
>> switch. The switch provides access for tools such as packet
>> analyzers, IDS, routing analyzers, etc. The multiple routers also
>> provide more horsepower for inspection, filtering, and
>> overhead-imposing measurements such as NetFlow.
>
>the multiple routers could just be a way to get a MAC to the ingress
>router for delivery over the ethernet... a sun/linux/bsd/*unix box might
>provide the same function. (please logging, analysis, ids, flow
>collection)
The architecture described doesn't have the two routers treating the
Ethernet as a destination:
SinkholeIn--->Switch------>SinkholeOut
|
|
analyzers
>
>>
>> I am unclear about the BGP relationship between the two routers,
>> which are meant to be treated as one subsystem. The ingress router
>> (with respect to the outside) clearly has to have its BGP isolated
>> from the rest of the AS, so it can't be part of the iBGP mesh.
>>
>
>why can't it be part of the ibgp mesh? I'm not sure I see why that would
>be BAD, aside from it bouncing under load and affecting all ibgp
>neighbors... so, aside from route-churn and neighbor setup/teardown churn
>what other reasons?
The most basic is whether I am diverting a maliciously inserted route
to it from the edge router.
