At 1:34 PM +0000 4/29/05, Christopher L. Morrow wrote:
On Fri, 29 Apr 2005, Howard C. Berkowitz wrote:
I've seen some Cisco security presentations that include sinkholes composed of an ingress and egress router, interconnected with a switch. The switch provides access for tools such as packet analyzers, IDS, routing analyzers, etc. The multiple routers also provide more horsepower for inspection, filtering, and overhead-imposing measurements such as NetFlow.
the multiple routers could just be a way to get a MAC to the ingress router for delivery over the ethernet... a sun/linux/bsd/*unix box might provide the same function. (please logging, analysis, ids, flow collection)
The architecture described doesn't have the two routers treating the Ethernet as a destination: SinkholeIn--->Switch------>SinkholeOut | | analyzers
I am unclear about the BGP relationship between the two routers, which are meant to be treated as one subsystem. The ingress router (with respect to the outside) clearly has to have its BGP isolated from the rest of the AS, so it can't be part of the iBGP mesh.
why can't it be part of the ibgp mesh? I'm not sure I see why that would be BAD, aside from it bouncing under load and affecting all ibgp neighbors... so, aside from route-churn and neighbor setup/teardown churn what other reasons?
The most basic is whether I am diverting a maliciously inserted route to it from the edge router.