Date: Wed, 19 Dec 2001 11:55:06 -0500 From: "Jim Flowers" <jflowers@ezo.net> To: <portmaster-users@portmasters.com>, <freebsd-isp@freebsd.org> Subject: Infrastructure Design with Portmasters and FreeBSD/Zebra (long) Message-ID: <013b01c188ad$ea3bc570$22b197ce@ezo.net>
next in thread | raw e-mail | index | archive | help
Our current ISP infrastructure has a head-end connection to the Internet and
a number of remote POPs at the end of point-to-point connections. The
Internet routers are IRX-211s and the pop-connecting routers are IRX-114s.
Customer connections at the pops include dialup via PM3s and point-to-point
dedicated via fbsd routers. 5 subnetted class C address blocks are used
including /30 on the numbered point-to-point links. Routing is ospf
(Zebra-0.92a on fbsd). Additional Internet sources are being added to
several of the POPs using BGP routing as are some inter-pop telecom links
with ospf.
I am considering renumbering all of the interior (to the Internet)
infrastructure subnets to RFC1918 private addresses, primarily to promote
security but also to reclaim public addresses. Customers, both dialup and
dedicated, would still have public addresses routed by ospf over the RFC1918
infrastructure to allow full access to Internet services. Local servers
that require access to the Internet connections would have public addresses
on their own network allowing connections to the Internet via the RFC1918
infrastructure. Customers would also have the option to connect via a
secured public subnet.
I question that a PM3 with a private Ethernet interface and a public
assigned address pool will work. I think connections would just be routed
by ospf instead of proxy arp so it would be OK. Is this correct?
This layout also relies on a web proxy (squid) host with a secondary public
address on the RFC1918 subnetwork to allow http connections to Internet
hosts and other cache servers. Eliminates loading router to unsecured
public subnet that would result if the web proxy host were placed there.
Seems a compromise to the concept though explicit filtering at the IRX-211
could minimize the vulnerability. Opinions?
I am also thinking of connecting all 3 subnets (private, public and public
secured) to a vlan segmented level 2 switch to take away sniffing capability
from a compromised host (mirrored to the MGMT host for management use).
Will this introduce additional problems?
Any other caveats?
Alternate suggestions?
Thanks.
Fixed width charcter spacing ASCII map follow:
POP layout
================= Internet
|
| ]--------> to previous POP (RFC1019)
[IRX-211] [IRX-411]--------> to next POP (RFC1918)
| | |
| +--+--------+-------+-------+---- RFC1918 subnet
| | | | |
| [W/P] [R] [PM3] [R]
| | | +--------> ptp
| | Unsecure Customers (public)
| |
| +----------+-- unsecured public subnet
| |
| [W/P] [MGMT] [servers]
| | |
+------+---------+-------+---- secured (public) subnet
| | |
[servers] [PM3] [R]
(secure) | +--------> ptp
Secure Customers (public)
IRX-211 and PM3 for unsecured network uses minimal filtering
IRX-211 and PM3 for secured network uses maximal filtering
RFC1918 addresses can only be reached from secure subnet
Unsecure customers may use W/P (web proxy)
Secure customers must use W/P
Management from Internet requires first to connect to MGMT host
Management by dialup to directly connected subnet only
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013b01c188ad$ea3bc570$22b197ce>