nanog mailing list archives

Re: Sinkhole Architecture

From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Fri, 29 Apr 2005 15:41:33 +0000 (GMT)




On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:


At 1:34 PM +0000 4/29/05, Christopher L. Morrow wrote:

On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:


 I've seen some Cisco security presentations that include sinkholes
 composed of an ingress and egress router, interconnected with a
 switch. The switch provides access for tools such as packet
 analyzers, IDS, routing analyzers, etc. The multiple routers also
 provide more horsepower for inspection, filtering, and
 overhead-imposing measurements such as NetFlow.


the multiple routers could just be a way to get a MAC to the ingress
router for delivery over the ethernet... a sun/linux/bsd/*unix box might
provide the same function. (please logging, analysis, ids, flow
collection)


The architecture described doesn't have the two routers treating the
Ethernet as a destination:

          SinkholeIn--->Switch------>SinkholeOut
                           |
                           |
                        analyzers


hrm, 'sinkhole' to me always means 'hole' not 'sinkpassthrough'. normally
if we do this we just drop the traffic in a hole we can look at, then
release the route later after analysis. With the 'in/out' concept you have
to provide a manner to tunnel away from the hole, else you end up looping
back through it indefinitely (or so it would seem).


 I am unclear about the BGP relationship between the two routers,
 which are meant to be treated as one subsystem.  The ingress router
 (with respect to the outside) clearly has to have its BGP isolated
 from the rest of the AS, so it can't be part of the iBGP mesh.


why can't it be part of the ibgp mesh? I'm not sure I see why that would
be BAD, aside from it bouncing under load and affecting all ibgp
neighbors... so, aside from route-churn and neighbor setup/teardown churn
what other reasons?


The most basic is whether I am diverting a maliciously inserted route
to it from the edge router.


uhm, so you put a /32 into the sinkhole all traffic to that destination in
your network heads there. What 'maliciously inserted route' are you
talking about? something a customer of yours sends you?

Current thread:

Federal Security Bureau asks for more authority to control Internet Sean Donelan (Apr 28)
- Re: Federal Security Bureau asks for more authority to control Internet Dave Crocker (Apr 28)
- Re: Federal Security Bureau asks for more authority to control Internet Michael . Dillon (Apr 29)
  - Re: Federal Security Bureau asks for more authority to control Internet Suresh Ramasubramanian (Apr 29)
  - Re: Federal Security Bureau asks for more authority to control Internet william(at)elan.net (Apr 29)
  - Sinkhole Architecture Howard C. Berkowitz (Apr 29)
    - Re: Sinkhole Architecture Christopher L. Morrow (Apr 29)
    - Re: Sinkhole Architecture Howard C. Berkowitz (Apr 29)
    - Re: Sinkhole Architecture Christopher L. Morrow (Apr 29)