I have a simple, hypothetical question regarding preferred connectivity
methods for you guys that I would like to get the hive mind opinion about.
There are two companies, Company A and Company B, that are planning to
continuously exchange a large amount of sensitive data and are located in a
mutual datacenter. They decide to order a cross connect and peer privately
for the obvious reasons. Company A has a small but knowledgable engineering
staff and it's network is running BGP as its only routing protocol with
multiple transit vendors and a handful of other larger peers. Company B is a
smaller shop that is single homed behind one ISP through a default static
route, they have hardware that can handle advanced routing protocols but
have not had the need to implement them as of yet. There is a single prefix
on both sides that will need to be routed to the other party. It is rare
that prefixes would need to change or for additional prefixes to be added.
From an technical, operational, and security standpoint what would be the
preferred way to route traffic between these two networks?
It sounds to me like Company B isn't doing BGP (probably has no experience with it) and if there's only a single prefix per side of the cross connect, especially if the cross connect is going into routers smart enough to remove a route from the table if the destination interface is down, static would do just fine.
Static routing - at least "on" the direct link. For extra "security", you
might want to make sure that the sensitive traffic won't take the internet
path, but only the directconnection.
Example: 192.168.0.0/24 being the prefix in question. Drop traffic for that
/24 via a static Null0 (IOS et al) / discard or reject (JUNOS) route. Then
add /25 statics for 192.168.0.0/25 and .128/25 via the direct link. On the
BGP speaking network, make sure you don't accept 192.168.0.0/24 or more
specifics of that via BGP from untrusted parties.
In case the link goes down, the /25s should become inactive, and the /24
Null/discard/reject route prevents leakage of sensitive data in unintended
(untrusted) directions (e.g. Internet) via default or covering aggregate
routes.
Of course all this assumes "no dynamic redundancy" etc. and some other
things not further specified in your scenario. There are many ways to
skin a cat.
There are two companies, Company A and Company B, that are planning to
continuously exchange a large amount of sensitive data and are located in a
mutual datacenter. They decide to order a cross connect and peer privately
for the obvious reasons. Company A has a small but knowledgable engineering
staff and it's network is running BGP as its only routing protocol with
multiple transit vendors and a handful of other larger peers. Company B is a
smaller shop that is single homed behind one ISP through a default static
route, they have hardware that can handle advanced routing protocols but
have not had the need to implement them as of yet. There is a single prefix
on both sides that will need to be routed to the other party. It is rare
that prefixes would need to change or for additional prefixes to be added.
From an technical, operational, and security standpoint what would be the
preferred way to route traffic between these two networks?
Use eBGP. Company B runs a mutually-agreed private ASN (at least from
company A's unused list). This scales from the initial deployment to
multiple cross-connects for failover [or even IPSEC tunnel over public
interfaces]. Company B should have Company A provide some clues to
their staff if needed (and get more out of the deal).
"Simple" static solutions wind up being entrenched, so move/add/change
becomes convoluted. And how many times has one prefix really stayed
that way?
There are two companies, Company A and Company B, that are planning to
continuously exchange a large amount of sensitive data and are located in a
mutual datacenter. They decide to order a cross connect and peer privately
for the obvious reasons.
Second NIC on a secure server at "A" wired with a crossover cable to a
second NIC a secure server at "B". Use an RFC1918 /30 that is null
routed on both companies routers.
But what can I expect from a man that used the phrase "tell him to go
fuck himself" when I put my hand out in greeting back at Atlanta NANOG
in 2001, when your company sales person mentioned that I should meet
you. (I was only the BGP driver and pipe buyer for Amazon at the
time.)
Even Vixie had a bit more class after I asked him a question at LISA
96 and all he said was "RTMfF. Next!" in his receiving line for
questions about BIND.. (The same LISA where Larry was selling his
first PERL book, signing shirts with Tom and Randal.) Six years later
in Seattle he gave thoughtful consideration and an insightful answer
to another question. (He had a bit of a cold that day and may have
been off-game.)
You Internet demigods need a clue stick to the head and understand
that not all of us are as smart as you and we need your advice at
times. We would much appreciate you not talking down to us when you do
decide to send words from above. BTW: Do the clouds under Mt Olympus
filter out caps?
Randy, I know my solution was right. I don't need your blessing.
Go fuck yourself.
-Joe Hamelin
PS: Thank you Jim. Always a pleasure working with (or interviewing) you.
From: "Joe Hamelin" <joe@nethead.com>
To: "Randy Bush" <randy@psg.com>, "NANOG list" <nanog@nanog.org>
Sent: Friday, January 14, 2011 6:50:05 AM
Subject: Re: Routing Suggestions
> i'm with jon and the static crew. brutal but simple.
My name is Joe, not jon, Randy.
I'm pretty sure Randy was responding to Jon Lewis...
i'm with jon and the static crew. brutal but simple.
My name is Joe, not jon, Randy.
But what can I expect from a man that used the phrase "tell him to go
fuck himself" when I put my hand out in greeting back at Atlanta NANOG
in 2001, when your company sales person mentioned that I should meet
you. (I was only the BGP driver and pipe buyer for Amazon at the
time.)
Don't mind me. I'm invisible. I'll be at NANOG Miami in two weeks...only my second time attending one. I'll have to try meeting Randy in person this time and see if I rate better than a "fuck off".
Even Vixie had a bit more class after I asked him a question at LISA
Perhaps you had him confused with someone else.
You Internet demigods need a clue stick to the head and understand
My boss calls NANOG the Masters of the Universe conference.
Depending on how the interconnect is built, using the "permanent"
keyword along with the static route may be worth investigating also if
you want the static route to stay in place, if you wish to prevent the
static being withdrawn if the interface goes down.