[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multi-homed,masquerading

To: ksemat at wawa.eahd.or.ug
Subject: Re: multi-homed,masquerading
From: Brian Candler <B.Candler at pobox.com>
Date: Mon, 31 Jul 2000 22:44:51 +0100
Cc: Lawrence Mashungwa <lawm at 4site.bw>, afnog at afnog.org
Content-Type: text/plain; charset=us-ascii
Delivered-To: <afnog at afnog.org>
In-Reply-To: <Pine.LNX.4.21.0007312000040.854-100000 at wawa.eahd.or.ug>; from ksemat at wawa.eahd.or.ug on Mon, Jul 31, 2000 at 08:22:55PM +0300
References: <20000731135350.B8243 at linnet.org> <Pine.LNX.4.21.0007312000040.854-100000 at wawa.eahd.or.ug>
Sender: owner-afnog at uol.co.ug

On Mon, Jul 31, 2000 at 08:22:55PM +0300, ksemat at wawa.eahd.or.ug wrote:
> 	Brian, Is it possible for me to do multihop BGP to someone who is
> not on the same backbone? i.e if for example all routes to my AS number go
> to say psg.com's router which talks BGP to my two ISPs to determine which of 
> them is up and then sends my packets via the one  that is up at the moment. 
> Would this work?

Well, not really. If you want to establish whether your link to your
upstream ISP is up or down, you really should be talking BGP to _them_ - in
particular, to the first router along (i.e. the one which would be your
defaultroute). This is pretty straightforward to set up - they can announce
defaultroute to you, and if the link goes down, it will drop out of your
table. You don't need a big expensive router - even a 2501 is fine for this
- and you can do it with private (unregistered) AS numbers.

But by itself, it doesn't really help you very much. It is a pretty good way
of determining which ISP is up or down, and could perhaps be used with some
NAT rules so that outgoing traffic would go via the 'other' ISP when the
main one went down. But your incoming traffic still has the same problem,
namely that incoming packets for the IP addresses you got from ISP A can
only come down ISP A's link.

Now, there is a case where this local BGP stuff could be useful, but only if
ISP A and ISP B cooperate. If they both talk BGP to you, _and_ peer with
each other; _and_ if they both give you a netblock (say a /29 from each)
which you announce to them from your router:

           |    peering   |
         ISP A --------- ISP B
            \           /
              \       /
                \   /
                  R

Now, if _your_ link from R to ISP A goes down, your outgoing traffic can go
via ISP B. Your incoming traffic will go Internet -> ISP A -> ISP B -> R.
However, this only protects you against a failure of the link between you
and ISP A, not from a failure of ISP A's network, nor a failure of ISP A's
upstream link (which is perhaps what you are more concerned about?)

This is a fundamental problem, because the rest of the Internet is not
learning about your routes - only about larger aggregated routes which your
IP addresses are contained within. I'm afraid to say that you are too small
a player to be announcing your network to the rest of the Internet via BGP -
actually, it is because your two _upstreams_ are both too small players as
well. There are already 80,000+ routes on the Internet at the moment, and
many people filter anything smaller than a /20 (an IP block big enough for
over 4,000 machines) because it is growing so rapidly.

As I mentioned before, the two most important services for incoming traffic
(DNS and mail) are inherently redundant and can be split across the two
links easily, without getting involved in routing, and I would strongly
recommend this approach to you.

There is one other possibility I can think of:

1. Buy a server and install it somewhere which has very good network
connectivity, power and air conditioning - say, a hosting facility in New
York.

2. Get some IP addresses for that box

3. Set up IP-in-IP tunnels between this box and your router (two tunnels -
one to the interface connected to ISP A, and one to the interface connected
to ISP B)

4. Run OSPF over the tunnels

5. Advertise the IP addresses you obtained in step [2] as your "public"
accessible service IP addresses, in the DNS

There is one flaw in this though - you would be better off just running your
services on the box you installed in step [1], rather than doing routing and
tunnelling.

So it's really a question of what you're trying to achieve, and how much you
have to spend. If you want reliable _inbound_ connectivity for services
which are intended mainly for access by people on the outside Internet,
putting the servers in a hosting facility may be the most cost-effective way
of achieving this. If it's just webspace you want, you can get a virtual
webserver for $10 per month or less.

For reliable _outbound_ connectivity, perhaps because you have dialup
customers downstream from you, then a NAT solution is most appropriate. If
your chief concern is that you can reach local customers of both ISPs, even
if your link to one of those ISPs is down, note that this will happen anyway
(just that the traffic will take a sub-optimal route, via the Internet and
back). If you don't like that, then try to persuade your two ISPs to peer
with each other.

Sorry I can't be of much more help.

Regards,

Brian.

-----
This is the afnog mailing list, managed by Majordomo 1.94.4

To send a message to this list, e-mail afnog at afnog.org
To send a requet to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is mantained by owner-afnog at afnog.org

References:
- Re: multi-homed,masquerading
  - From: Brian Candler <B.Candler at pobox.com>
- Re: multi-homed,masquerading
  - From: ksemat at wawa.eahd.or.ug

Prev by Date: Re: multi-homed,masquerading
Next by Date: openssl+apache
Prev by thread: Re: multi-homed,masquerading
Next by thread: SSH Client
Index(es):
- Date
- Thread