Routing Suggestions

Hi NANOG list,

I have a simple, hypothetical question regarding preferred connectivity
methods for you guys that I would like to get the hive mind opinion about.

There are two companies, Company A and Company B, that are planning to
continuously exchange a large amount of sensitive data and are located in a
mutual datacenter. They decide to order a cross connect and peer privately
for the obvious reasons. Company A has a small but knowledgable engineering
staff and it's network is running BGP as its only routing protocol with
multiple transit vendors and a handful of other larger peers. Company B is a
smaller shop that is single homed behind one ISP through a default static
route, they have hardware that can handle advanced routing protocols but
have not had the need to implement them as of yet. There is a single prefix
on both sides that will need to be routed to the other party. It is rare
that prefixes would need to change or for additional prefixes to be added.

From an technical, operational, and security standpoint what would be the

preferred way to route traffic between these two networks?

Cheers,

Lars

I suggest using one of the reserved/private BGP asns for this purpose.

ASNumber: 64512 - 65535
ASName: IANA-RSVD2
ASHandle: AS64512
RegDate: 1995-04-06
Updated: 2009-01-14
Comment: Designated for private use [RFC1930]

- Jared

It sounds to me like Company B isn't doing BGP (probably has no experience with it) and if there's only a single prefix per side of the cross connect, especially if the cross connect is going into routers smart enough to remove a route from the table if the destination interface is down, static would do just fine.

Apply the KISS principle. Use a static route

Unless you'd like to ensure the sensitive traffic doesn't cross an
"unsafer" default rout path if the XC is down.

(Assuming the prefixes are both public IPv4/6 space to begin with.)

Adrian

Static routing - at least "on" the direct link. For extra "security", you
might want to make sure that the sensitive traffic won't take the internet
path, but only the directconnection.

Example: 192.168.0.0/24 being the prefix in question. Drop traffic for that
/24 via a static Null0 (IOS et al) / discard or reject (JUNOS) route. Then
add /25 statics for 192.168.0.0/25 and .128/25 via the direct link. On the
BGP speaking network, make sure you don't accept 192.168.0.0/24 or more
specifics of that via BGP from untrusted parties.

In case the link goes down, the /25s should become inactive, and the /24
Null/discard/reject route prevents leakage of sensitive data in unintended
(untrusted) directions (e.g. Internet) via default or covering aggregate
routes.

Of course all this assumes "no dynamic redundancy" etc. and some other
things not further specified in your scenario. There are many ways to
skin a cat.

Best regards,
Daniel

[snip]

There are two companies, Company A and Company B, that are planning to
continuously exchange a large amount of sensitive data and are located in a
mutual datacenter. They decide to order a cross connect and peer privately
for the obvious reasons. Company A has a small but knowledgable engineering
staff and it's network is running BGP as its only routing protocol with
multiple transit vendors and a handful of other larger peers. Company B is a
smaller shop that is single homed behind one ISP through a default static
route, they have hardware that can handle advanced routing protocols but
have not had the need to implement them as of yet. There is a single prefix
on both sides that will need to be routed to the other party. It is rare
that prefixes would need to change or for additional prefixes to be added.

From an technical, operational, and security standpoint what would be the
preferred way to route traffic between these two networks?

Use eBGP. Company B runs a mutually-agreed private ASN (at least from
company A's unused list). This scales from the initial deployment to
multiple cross-connects for failover [or even IPSEC tunnel over public
interfaces]. Company B should have Company A provide some clues to
their staff if needed (and get more out of the deal).

"Simple" static solutions wind up being entrenched, so move/add/change
becomes convoluted. And how many times has one prefix really stayed
that way?

BGP would have that same issue since B is default routing to their provider.

[config for B]
ip route <A's prefix> <mask> <gw to A>
ip route <A's prefix> <mask> null0 250
ip route 0.0.0.0 0.0.0.0 <B's provider>

problem solved. If the gw to A is reachable, traffic goes via the cross connect. If the gw is down, traffic goes nowhere.

There are two companies, Company A and Company B, that are planning to
continuously exchange a large amount of sensitive data and are located in a
mutual datacenter. They decide to order a cross connect and peer privately
for the obvious reasons.

Second NIC on a secure server at "A" wired with a crossover cable to a
second NIC a secure server at "B". Use an RFC1918 /30 that is null
routed on both companies routers.

KISS. Hand it off to the developers.

I was just making the observation; the solution is pretty simple.
(Yes, I've seen "secure" network cross-connects get bitten by this.

Adrian

What Joe Said.

Static with 1918 space. If they NEED global space, explain 1918
space will work and tell them to use it.

-jim

i'm with jon and the static crew. brutal but simple.

if you want no leakage, A can filter the prefix from it's upstreams,
both can low-pref blackhole it, ...

randy

My name is Joe, not jon, Randy.

But what can I expect from a man that used the phrase "tell him to go
fuck himself" when I put my hand out in greeting back at Atlanta NANOG
in 2001, when your company sales person mentioned that I should meet
you. (I was only the BGP driver and pipe buyer for Amazon at the
time.)

Even Vixie had a bit more class after I asked him a question at LISA
96 and all he said was "RTMfF. Next!" in his receiving line for
questions about BIND.. (The same LISA where Larry was selling his
first PERL book, signing shirts with Tom and Randal.) Six years later
in Seattle he gave thoughtful consideration and an insightful answer
to another question. (He had a bit of a cold that day and may have
been off-game.)

You Internet demigods need a clue stick to the head and understand
that not all of us are as smart as you and we need your advice at
times. We would much appreciate you not talking down to us when you do
decide to send words from above. BTW: Do the clouds under Mt Olympus
filter out caps?

Randy, I know my solution was right. I don't need your blessing.

Go fuck yourself.

-Joe Hamelin

PS: Thank you Jim. Always a pleasure working with (or interviewing) you.

From: "Joe Hamelin" <joe@nethead.com>
To: "Randy Bush" <randy@psg.com>, "NANOG list" <nanog@nanog.org>
Sent: Friday, January 14, 2011 6:50:05 AM
Subject: Re: Routing Suggestions
> i'm with jon and the static crew. brutal but simple.

My name is Joe, not jon, Randy.

I'm pretty sure Randy was responding to Jon Lewis...

[...]

Go fuck yourself.

Happy Friday to you too.

i'm with jon and the static crew. brutal but simple.

My name is Joe, not jon, Randy.

But what can I expect from a man that used the phrase "tell him to go
fuck himself" when I put my hand out in greeting back at Atlanta NANOG
in 2001, when your company sales person mentioned that I should meet
you. (I was only the BGP driver and pipe buyer for Amazon at the
time.)

Don't mind me. I'm invisible. I'll be at NANOG Miami in two weeks...only my second time attending one. I'll have to try meeting Randy in person this time and see if I rate better than a "fuck off".

Even Vixie had a bit more class after I asked him a question at LISA

Perhaps you had him confused with someone else.

You Internet demigods need a clue stick to the head and understand

My boss calls NANOG the Masters of the Universe conference.

Randy, I know my solution was right. I don't need your blessing.

Go fuck yourself.

It's nice to see we've really elevated the level of discourse around here

-dorn

My name is Joe, not jon, Randy.

congrats. but i was speaking of jon lewis.

randy

Beats "Unruly kids with toys" conference.

Jack

yea... back to the coffee urn for me!

(sometimes folks have hot-button-issues...)

-chris

Depending on how the interconnect is built, using the "permanent"
keyword along with the static route may be worth investigating also if
you want the static route to stay in place, if you wish to prevent the
static being withdrawn if the interface goes down.

Sam