iBGP next hop and multi-access media
David Schwartz
davids at webmaster.com
Mon Oct 7 20:02:28 UTC 2002
On Mon, 07 Oct 2002 15:37:16 -0400, Valdis.Kletnieks at vt.edu wrote:
>I suppose they *could* - the fun then starts when you get a routing flap and
>the other router tells you that you're not on one subnet because the subnet
>is unreachable and would you please remove the interface? And I'm willing
>to bet that there's a lack of MD5 at the important places in the dataflow...
>;)
>What's puzzling me is how anybody has a big enough net that subnets are
being
>added fast enough that automating the process is needed, but they don't
>already
>have a way to centrally manage the routers so they can just push the needed
>'ip route 172.16.16.0 255.255.255.0 fa0/0' out somehow.
And even so, many of us have learned in very painful ways that running more
than one IP subnet on the same physical network can get you into trouble very
quickly. For a small SOHO network, fine, but then you usually don't use
dynamic routing protocols anyway.
Here's just a small sampling of what can go wrong:
1) A broadcast storm cripples all your subnets and slows some of your
machines to a crawl.
2) A compromise on a machine leads to ARP mischief (such as theft of another
subnet's default gateway IP), leading to TCP hijacking, password theft, or
worse.
3) A DoS attack causes one machine to be completely knocked out (locks up,
or reboots but fails to come back on after shutting itself off, or locks in
an fsck in single user mode or some such). The DoS attack continues until the
switch's table entry for that hardware address epires. Now the DoS attack
pops out every port on every machine.
And on, and on, and on. You want as few machines as possible on a single
Ethernet LAN because Ethernet has no protection against various types of
subterfuge.
DS
More information about the NANOG
mailing list