Sinkhole Architecture

• Previous message (by thread): Federal Security Bureau asks for more authority to control Internet
• Next message (by thread): Sinkhole Architecture
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've seen some Cisco security presentations that include sinkholes 
composed of an ingress and egress router, interconnected with a 
switch. The switch provides access for tools such as packet 
analyzers, IDS, routing analyzers, etc. The multiple routers also 
provide more horsepower for inspection, filtering, and 
overhead-imposing measurements such as NetFlow.

I am unclear about the BGP relationship between the two routers, 
which are meant to be treated as one subsystem.  The ingress router 
(with respect to the outside) clearly has to have its BGP isolated 
from the rest of the AS, so it can't be part of the iBGP mesh.

My assumption is that the ingress router has to be either a 
confederation AS, or router reflector client, talking to the egress 
router.  The latter is part of the main iBGP mesh, although it could 
be a client in a next hierarchical reflection cluster. Do any of 
these iBGP arrangements impact having the sinkhole ingress with an 
anycast address?

Is this a correct architectural assumption?  Can anyone point me to, 
or provide a representative configuration?

I also wanted to confirm the failure modes under which static ARP 
between the routers is desirable.

Howard

• Previous message (by thread): Federal Security Bureau asks for more authority to control Internet
• Next message (by thread): Sinkhole Architecture
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]