Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: iBGP next hop and multi-access media

  • From: David Schwartz
  • Date: Mon Oct 07 16:06:44 2002


On Mon, 07 Oct 2002 15:37:16 -0400, Valdis.Kletnieks@vt.edu wrote:

>I suppose they *could* - the fun then starts when you get a routing flap and
>the other router tells you that you're not on one subnet because the subnet
>is unreachable and would you please remove the interface?  And I'm willing
>to bet that there's a lack of MD5 at the important places in the dataflow...
>;)

>What's puzzling me is how anybody has a big enough net that subnets are 
being
>added fast enough that automating the process is needed, but they don't
>already
>have a way to centrally manage the routers so they can just push the needed
>'ip route 172.16.16.0 255.255.255.0 fa0/0' out somehow.

	And even so, many of us have learned in very painful ways that running more 
than one IP subnet on the same physical network can get you into trouble very 
quickly. For a small SOHO network, fine, but then you usually don't use 
dynamic routing protocols anyway.

	Here's just a small sampling of what can go wrong:

	1) A broadcast storm cripples all your subnets and slows some of your 
machines to a crawl.

	2) A compromise on a machine leads to ARP mischief (such as theft of another 
subnet's default gateway IP), leading to TCP hijacking, password theft, or 
worse.

	3) A DoS attack causes one machine to be completely knocked out (locks up, 
or reboots but fails to come back on after shutting itself off, or locks in 
an fsck in single user mode or some such). The DoS attack continues until the 
switch's table entry for that hardware address epires. Now the DoS attack 
pops out every port on every machine.

	And on, and on, and on. You want as few machines as possible on a single 
Ethernet LAN because Ethernet has no protection against various types of 
subterfuge.

	DS






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.