Routing Suggestions

Daniel Roesen dr at cluenet.de
Thu Jan 13 00:39:28 UTC 2011


On Wed, Jan 12, 2011 at 07:13:53PM -0500, Lars Carter wrote:
> From an technical, operational, and security standpoint what would be the
> preferred way to route traffic between these two networks?

Static routing - at least "on" the direct link. For extra "security", you
might want to make sure that the sensitive traffic won't take the internet
path, but only the directconnection.

Example: 192.168.0.0/24 being the prefix in question. Drop traffic for that
/24 via a static Null0 (IOS et al) / discard or reject (JUNOS) route. Then
add /25 statics for 192.168.0.0/25 and .128/25 via the direct link. On the
BGP speaking network, make sure you don't accept 192.168.0.0/24 or more
specifics of that via BGP from untrusted parties.

In case the link goes down, the /25s should become inactive, and the /24
Null/discard/reject route prevents leakage of sensitive data in unintended
(untrusted) directions (e.g. Internet) via default or covering aggregate
routes.

Of course all this assumes "no dynamic redundancy" etc. and some other
things not further specified in your scenario. There are many ways to
skin a cat.

Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0




More information about the NANOG mailing list