nanog mailing list archives
Re: iBGP next hop and multi-access media
From: David Schwartz <davids () webmaster com>
Date: Mon, 7 Oct 2002 13:02:28 -0700
On Mon, 07 Oct 2002 15:37:16 -0400, Valdis.Kletnieks () vt edu wrote:
I suppose they *could* - the fun then starts when you get a routing flap and the other router tells you that you're not on one subnet because the subnet is unreachable and would you please remove the interface? And I'm willing to bet that there's a lack of MD5 at the important places in the dataflow... ;)
What's puzzling me is how anybody has a big enough net that subnets are
being
added fast enough that automating the process is needed, but they don't already have a way to centrally manage the routers so they can just push the needed 'ip route 172.16.16.0 255.255.255.0 fa0/0' out somehow.
And even so, many of us have learned in very painful ways that running more than one IP subnet on the same physical network can get you into trouble very quickly. For a small SOHO network, fine, but then you usually don't use dynamic routing protocols anyway. Here's just a small sampling of what can go wrong: 1) A broadcast storm cripples all your subnets and slows some of your machines to a crawl. 2) A compromise on a machine leads to ARP mischief (such as theft of another subnet's default gateway IP), leading to TCP hijacking, password theft, or worse. 3) A DoS attack causes one machine to be completely knocked out (locks up, or reboots but fails to come back on after shutting itself off, or locks in an fsck in single user mode or some such). The DoS attack continues until the switch's table entry for that hardware address epires. Now the DoS attack pops out every port on every machine. And on, and on, and on. You want as few machines as possible on a single Ethernet LAN because Ethernet has no protection against various types of subterfuge. DS
Current thread:
- Re: iBGP next hop and multi-access media, (continued)
- Re: iBGP next hop and multi-access media Alex Rubenstein (Oct 06)
- Re: iBGP next hop and multi-access media Ralph Doncaster (Oct 06)
- RE: iBGP next hop and multi-access media Jason Lixfeld (Oct 06)
- RE: iBGP next hop and multi-access media Ralph Doncaster (Oct 06)
- RE: iBGP next hop and multi-access media Jason Lixfeld (Oct 07)
- RE: iBGP next hop and multi-access media alex (Oct 07)
- RE: iBGP next hop and multi-access media Ralph Doncaster (Oct 07)
- RE: iBGP next hop and multi-access media alex (Oct 07)
- RE: iBGP next hop and multi-access media Pete Templin (Oct 07)
- Re: iBGP next hop and multi-access media Valdis . Kletnieks (Oct 07)
- Re: iBGP next hop and multi-access media David Schwartz (Oct 07)
- RE: iBGP next hop and multi-access media Stephen J. Wilcox (Oct 07)
- Re: iBGP next hop and multi-access media Christopher L. Morrow (Oct 06)
- Re: iBGP next hop and multi-access media Pete Templin (Oct 07)
- Re: iBGP next hop and multi-access media alex (Oct 07)
- Re: iBGP next hop and multi-access media Jared Mauch (Oct 06)
- Re: iBGP next hop and multi-access media Stephen J. Wilcox (Oct 07)
- Re: iBGP next hop and multi-access media Petri Helenius (Oct 11)
- Re: iBGP next hop and multi-access media alex (Oct 07)
- Re: iBGP next hop and multi-access media jlewis (Oct 07)
- Re: iBGP next hop and multi-access media Majdi S. Abbas (Oct 07)