[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: Two ISPs to one DMZ, really
From:       "Aaron J. Peterson" <aajpeter () best ! com>
Date:       1997-07-10 10:20:34
[Download RAW message or body]


We're missing the bigger issue.  What service level and availability do
the customers want?  How can one obtain a particular level?  What would
the most efficient architecture be for the desired service level?  What
does any of this have to do with firewalls? :)  To answer the last one
quickly and justify the rest of this message, a company that can afford
redundancy will most likely have a parallel need for a firewall (who
doesn't?), and these are intertwined architecture issues.

I disagree that one does not get redundancy by multi-homing to the same
ISP.  It would be good to define "redundancy" more explicitly.  Certainly,
you wouldn't get "ISP redundancy", but I don't think that's really what
anyone is looking for.  They're looking for network redundancy and
resiliance.  Can you measure the gain in availability provided by
connecting to ISP A and ISP B, as opposed to multi-homing to two
network-distant points on ISP A?  Is it worth the administrative overhead? 
Is it really a gain considering the increased complexity and the tendency
of more complex systems to break more frequently?  These are key
architecture issues that should be pondered before blindly deciding that,
"we must multi-home to two ISPs, despite the huge difficulties and expense
involved, because that's the only way we can get 101% availability, which
is what we must have." 

In my experience, BGP convergence has been quite fast, and the various
vicissitudes involved with dynamic DNS make it a comparatively poor
performer.  No, don't respond, mail me personally. 

If you've decided that you _must_ have two ISPs, then you'll obviously be
choosing big ones, as the chain is only as strong as its weakest link, and
since you're a major player, you'll want to play with the major leagues.
The "pros" all support, nay in many cases require, the use of BGP. 

So in the framework of that,

On Wed, 9 Jul 1997 mikech@avana.net wrote:

> *****How do you route IPs from one ISP's CIDR through another ISP???********

You force the two ISPs in questions to redefine their routing policies
with each other, as well as their routing policies with you.  There is no
other way that you can do it just as a customer to two ISPs.  This is not
impossible, just difficult, and you will truely have "ISP redundancy".
You'll want to study the respective ISPs' backbones, and analyze their
outward connectivity, what NAPs they connect to, etc., and make sure
you're not losing most of your redundancy when the ISPs are viewed as a
unit.  

Outside of that framework there is still a lot of room to get high
availability and good service, which is truely the better answer to the
question for many levels of services.

You can avoid the question in various ways:

	o split groups of machines providing redundant services onto the
	  separate PA blocks from each ISP, and cope with the hit and miss. 
	o get PI address space.  Good Luck, and thanks for making me
	  upgrade to 128MB in my border routers. ;)
	o multi-home to the same ISP, choose a big one, and connect at
	  distant points on the ISP.
	o use a hybrid of the above for services of different availability 
	  requirements.


BTW, my math was incorrect, so low DNS ttls aren't as bad traffic-wise as
I made it look.  I wasn't debating if dynamic DNS works, I was challenging
a base assumption.  Without getting into it, I believe dynamic DNS's
requirement of low ttls is a serious flaw, and I strongly doubt the
methods used to show reachability percentages as a function of time.
Further discussion of this issue should propably be mailbox to mailbox, as
I'm sure the list would vigorously agree.  We'd post the consensus if we
ever came to one :).

On Wed, 9 Jul 1997, Mark Horn [ Net Ops ] wrote:

> The first thing is that you assume that yahoo's ttl for their dns records
> is 7 days.  It's 15 minutes.

I was talking of yahoo as a client to DNS services, i.e. the ttls in
question were the ttls of the rest of the world, not for yahoos domain.

> [ math proving my error anyway ]

On Wed, 9 Jul 1997, Neil Readwin wrote:

> [ logic explaining my error clearly ]

Yep. I was wrong.

-Aaron J. Peterson
Semi-Humbled Logic 101 Flunkie

[prev in list] [next in list] [prev in thread] [next in thread]