nanog mailing list archives
Re: Routing Suggestions
From: Daniel Roesen <dr () cluenet de>
Date: Thu, 13 Jan 2011 01:39:28 +0100
On Wed, Jan 12, 2011 at 07:13:53PM -0500, Lars Carter wrote:
From an technical, operational, and security standpoint what would be the preferred way to route traffic between these two networks?
Static routing - at least "on" the direct link. For extra "security", you might want to make sure that the sensitive traffic won't take the internet path, but only the directconnection. Example: 192.168.0.0/24 being the prefix in question. Drop traffic for that /24 via a static Null0 (IOS et al) / discard or reject (JUNOS) route. Then add /25 statics for 192.168.0.0/25 and .128/25 via the direct link. On the BGP speaking network, make sure you don't accept 192.168.0.0/24 or more specifics of that via BGP from untrusted parties. In case the link goes down, the /25s should become inactive, and the /24 Null/discard/reject route prevents leakage of sensitive data in unintended (untrusted) directions (e.g. Internet) via default or covering aggregate routes. Of course all this assumes "no dynamic redundancy" etc. and some other things not further specified in your scenario. There are many ways to skin a cat. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr () cluenet de -- dr@IRCnet -- PGP: 0xA85C8AA0
Current thread:
- Routing Suggestions Lars Carter (Jan 12)
- Re: Routing Suggestions Jared Mauch (Jan 12)
- Re: Routing Suggestions Jon Lewis (Jan 12)
- Re: Routing Suggestions Adrian Chadd (Jan 12)
- Re: Routing Suggestions Jon Lewis (Jan 12)
- Re: Routing Suggestions Adrian Chadd (Jan 12)
- Re: Routing Suggestions Jon Lewis (Jan 12)
- Re: Routing Suggestions Jared Mauch (Jan 12)
- Re: Routing Suggestions Joe Hamelin (Jan 12)
- Re: Routing Suggestions jim deleskie (Jan 12)
- Re: Routing Suggestions Joe Hamelin (Jan 14)
- Re: Routing Suggestions Matthew S. Crocker (Jan 14)
- Re: Routing Suggestions Jon Lewis (Jan 14)
- Re: Routing Suggestions Jack Bates (Jan 14)
- Re: Routing Suggestions Dorn Hetzel (Jan 14)
- Re: Routing Suggestions Christopher Morrow (Jan 14)