[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Two ISP's to one DMZ
From:       "Mark Horn [ Net Ops ]" <mhorn () funb ! com>
Date:       1997-07-09 18:10:48
[Download RAW message or body]

Paul Ferguson says:
>I have no idea what you are referring to with regards to "BGP also
>requires that you have portable address space" -- this is certainly
>incorrect. Perhaps you meant something else, or meant it in a
>different context?

What I mean is that I can't originate a network in my AS that's already
originated in someone else's AS.  Let's suppose FooBar Internet Services
assigns me 210.210.210.0/24, and that I'm multi-homed to Widget Internet
Access.  In order for me to advertise this address to Widget, one of two
things needs to be true:

        1) I am part of FooBar's AS - which means I am doing IBGP peering
           with FooBar and EBGP peering with Widget.

                        or 

        2) That network is not part of FooBar's AS - IOW it's a portable
           address space.

If neither of those are true and I try and orignate that network, won't I
end up with conflicts at the NAP?  Won't this also create a BlackHole?

Since just doing BGP peering with some ISP's is hard enough, I assume that
doing item 1) above is next to impossible.  Certainly, if I were an ISP, I
wouldn't want one of my customer's to be capable of messing with my
routing policy.  Thus I make the assumption that the only practical means
of doing BGP is by getting portable address space.

You are the expert, though.  So if I'm misled, please guide me back into
the light!

>Exactly how does NAT and DNS provide for the announcement of AS's
>and/or prefixes into the global routing system?

You simply use the address space that's provided by your ISP.  Each of
your ISP's manage announcement of their prefixes into the global routing
system.  What dynamic DNS + NAT does is allow you to look like FooBar's
addresses from FooBar's perspective, and look like Widget's addresses from
Widget's perspective.  Meanwhile, you have a private address sitting
behind the NAT.

Suppose your link to widget goes down.  You have to be able to detect
this, and modify your DNS records.  When all is working www.mycompany.com
returns (alternatively) an address in FooBar's space and an address in
Widget's space.  If Widget goes down, I have to modify my DNS so that
www.mycompany.com only returns the FooBar address.

Again, I don't really like this.  When all is working, how do you tell
FooBar's customers that www.mycompany.com is a FooBar address, and prevent
those customers from getting a Widget address?  And vice versa for Widget
customers.  

-- 
Mark Horn <mhorn@funb.com>

PGP Public Key available from: http://www.es.net/hypertext/pgp.html
PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E  25 8A 76 E6 04 A1 7F C1

[prev in list] [next in list] [prev in thread] [next in thread]