Firewalls: Re: Two ISP's to one DMZ

Firewalls
(July 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Two ISP's to one DMZ
From:	Paul Ferguson <pferguso @ cisco . com>
Date:	Wed, 09 Jul 1997 17:25:23 -0400
To:	"Mark Horn [ Net Ops ]" <mhorn @ funb . com>
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	<19970709114056 . 13725 @ capmark . funb . com>
References:	<Chameleon . 868386075 . mikech @ att> <Pine . BSF . 3 . 96 . 970708003036 . 20207C-100000 @ shell4 . ba . best . com> <Chameleon . 868386075 . mikech @ att>

At 11:40 AM 07/09/97 -0400, Mark Horn [ Net Ops ] wrote:

>
>I'd love to hear more data about BGP convergence from people who are using
>BGP ... pferguso @
 cisco .
 com?
>
>>Most routers are definitely not up to updating a 
>>route through BGP. Besides, how are you going to switch between CIDRs? If
I am 
>>using a Sprint Class B or C IP block how am I going to route it through
MCI? 
>
>Both of these issues are legitimate.  BGP gobbles memory, especially if
>you're getting full Internet routes.  BGP also requires that you have
>portable address space - a rare commodity.
>

The amount of time it takes to converge routing with BGP depends on:

 o the computational platform -- the more CPU horsepower, the faster
   the path recalculation;
 o available computational resources;
 o the number of prefixes;
 o the number of AS_PATHS;
 o the number of BGP peers;
 o the volume of announcements and/or withdrawals.

Of course, one could also suggest that the speed of the links
interconnecting the BGP speakers has an effect on the rate at
which routing will reconverge, since a faster link will transfer
announcement & withdrawal information quicker than a slower link.

I have no idea what you are referring to with regards to "BGP also
requires that you have portable address space" -- this is certainly
incorrect. Perhaps you meant something else, or meant it in a
different context?

>Having only looked at it superficially, dynamic DNS + NAT seems like a
>workable solution when BGP isn't available.  But if BGP is available, it
>seems better.  And that's simply on a performance basis.  BGP also
>provides policy setting that DNS doesn't.
>

Exactly how does NAT and DNS provide for the announcement of AS's
and/or prefixes into the global routing system?

- paul

>-- 
>Mark Horn <mhorn @
 funb .
 com>
>
>PGP Public Key available from: http://www.es.net/hypertext/pgp.html
>PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E  25 8A 76 E6 04 A1
7F C1
>

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: pferguso @
 cisco .
 com                         c i s c o S y s t e m s

Follow-Ups:

Re: Two ISP's to one DMZ
From: mikech @ avana . net
Re: Two ISP's to one DMZ
From: "Mark Horn [ Net Ops ]" <mhorn @ funb . com>

References:

RE: Two ISP's to one DMZ
From: mikech @ avana . net
RE: Two ISP's to one DMZ
From: "Aaron J. Peterson" <aajpeter @ best . com>
Re: Two ISP's to one DMZ
From: "Mark Horn [ Net Ops ]" <mhorn @ funb . com>

Indexed By Date	Previous:	Services vulnerable to IP spoofing? From: "Fernando da Silveira Montenegro" <montenegro @ nutec . com . br>
Indexed By Date	Next:	Java security and firewalls From: Sean Elrington <seane @ intergate . bc . ca>
Indexed By Thread	Previous:	Re: Two ISP's to one DMZ From: "Mark Horn [ Net Ops ]" <mhorn @ funb . com>
Indexed By Thread	Next:	Re: Two ISP's to one DMZ From: "Mark Horn [ Net Ops ]" <mhorn @ funb . com>