asymmetric routes/security concerns/Fortinet

Justin M. Streiner streiner at cluebyfour.org
Fri Jan 7 15:31:57 UTC 2011


  > The admins at this university claim this is by design and for security 
> reasons..   My response was the entire internet is asymmetrical and 
> while this may of been a legitimate concern in the 90's,  I don't think 
> its a real concern anymore if things are set up correctly.  They 
> suggested we add static routes to our equipment to address this…  This 
> seems like a bad idea and I am not comfortable adjusting my routing 
> table to address one site's issues on the internet due to their (not 
> ours) routing/security policies.

Working in a university environment like you, we do have connectivity to 
some of those high-speed R&E networks, and or routing policy generally 
prefers to use those paths if they are available, for reasons of 
performance (offloading traffic from more traditional transit paths) 
and cost/cost avoidance, as others have mentioned.  Asymmetric routing is 
always a possibility between two multi-homed networks.  I still 
occasionally have to wrestle with the notion that many people have that 
asymmetric routing is bad...

If the organization at the far end is doing stateful firewalling at the 
borders of their multi-homed network, then they are probably accustomed to 
things 'just breaking' more often then they're willing to admit ;)

jms


More information about the NANOG mailing list