[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

asymmetric routes/security concerns/Fortinet

Subject: asymmetric routes/security concerns/Fortinet
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Fri, 7 Jan 2011 10:31:57 -0500 (EST)
In-reply-to: <[email protected]>
References: <[email protected]>

  > The admins at this university claim this is by design and for security 
> reasons..   My response was the entire internet is asymmetrical and 
> while this may of been a legitimate concern in the 90's,  I don't think 
> its a real concern anymore if things are set up correctly.  They 
> suggested we add static routes to our equipment to address this?  This 
> seems like a bad idea and I am not comfortable adjusting my routing 
> table to address one site's issues on the internet due to their (not 
> ours) routing/security policies.

Working in a university environment like you, we do have connectivity to 
some of those high-speed R&E networks, and or routing policy generally 
prefers to use those paths if they are available, for reasons of 
performance (offloading traffic from more traditional transit paths) 
and cost/cost avoidance, as others have mentioned.  Asymmetric routing is 
always a possibility between two multi-homed networks.  I still 
occasionally have to wrestle with the notion that many people have that 
asymmetric routing is bad...

If the organization at the far end is doing stateful firewalling at the 
borders of their multi-homed network, then they are probably accustomed to 
things 'just breaking' more often then they're willing to admit ;)

jms

References:
- asymmetric routes/security concerns/Fortinet
  - From: Greg.Whynott at oicr.on.ca (Greg Whynott)

Prev by Date: NIST IPv6 document
Next by Date: Problems with removing NAT from a network
Previous by thread: asymmetric routes/security concerns/Fortinet
Next by thread: asymmetric routes/security concerns/Fortinet
Index(es):
- Date
- Thread