Re: asymmetric routes/security concerns/Fortinet

[John Kristoff <jtk () cymru com>]

On Fri, 7 Jan 2011 13:56:00 -0500
Greg Whynott <Greg.Whynott () oicr on ca> wrote:

> the localpref is something I'll look at,  thanks for that.   I'm not
> a BGP expert by any stretch,  and our requirements here are
> "simple".  we are not a transit.    I've only attempted to make the
> config safe,  not efficient.

I'm not quite sure I understand what the paths look like, but you could
also append your ASN once or twice for your routes on the less
preferred path to make the other institution use the more preferred one
as long as it is available.

>  i'd like to hear what you have to say about the original question,
> is there good reason in this day and age to drop traffic as described
> in the original post in your opinion?

Depends on who you ask.  I think it clearly shows a mismatch in the
assumptions of security devices, engineers and the actual behavior of
some deployed networks.

Since you're both part of ORION, ideally packets would be following the
same path in both directions.  I suggest you endeavor to make that the
common case.

However, to answer your question, dropping packets because the path is
asymmetrical would not be something I'd want my university network to
be doing.  I'd love for them to tell me it's happening though.

John