Date: Wed, 19 Dec 2001 14:17:43 -0500 (EST) From: Krzysztof Adamski <kadamski@netsurf.net> To: Jim Flowers <jflowers@ezo.net> Cc: portmaster-users@portmasters.com, freebsd-isp@freebsd.org Subject: Re: (PM) Infrastructure Design with Portmasters and FreeBSD/Zebra (long) Message-ID: <Pine.LNX.4.21.0112191413480.4776-100000@white.netsurf.net> In-Reply-To: <013b01c188ad$ea3bc570$22b197ce@ezo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Replacing routable IPs with RFC1918 on a PM will work just fine, but there is one problem with it. It breaks Path-MTU-discovery protocol. This would be a problem for routers that can have different MTU size of different interfaces, like a PM with dial in users. If you are efficiently using your address space you should not have a problem with getting more addresses. K On Wed, 19 Dec 2001, Jim Flowers wrote: > Our current ISP infrastructure has a head-end connection to the Internet and > a number of remote POPs at the end of point-to-point connections. The > Internet routers are IRX-211s and the pop-connecting routers are IRX-114s. > Customer connections at the pops include dialup via PM3s and point-to-point > dedicated via fbsd routers. 5 subnetted class C address blocks are used > including /30 on the numbered point-to-point links. Routing is ospf > (Zebra-0.92a on fbsd). Additional Internet sources are being added to > several of the POPs using BGP routing as are some inter-pop telecom links > with ospf. > > I am considering renumbering all of the interior (to the Internet) > infrastructure subnets to RFC1918 private addresses, primarily to promote > security but also to reclaim public addresses. Customers, both dialup and > dedicated, would still have public addresses routed by ospf over the RFC1918 > infrastructure to allow full access to Internet services. Local servers > that require access to the Internet connections would have public addresses > on their own network allowing connections to the Internet via the RFC1918 > infrastructure. Customers would also have the option to connect via a > secured public subnet. > > I question that a PM3 with a private Ethernet interface and a public > assigned address pool will work. I think connections would just be routed > by ospf instead of proxy arp so it would be OK. Is this correct? > > This layout also relies on a web proxy (squid) host with a secondary public > address on the RFC1918 subnetwork to allow http connections to Internet > hosts and other cache servers. Eliminates loading router to unsecured > public subnet that would result if the web proxy host were placed there. > Seems a compromise to the concept though explicit filtering at the IRX-211 > could minimize the vulnerability. Opinions? > > I am also thinking of connecting all 3 subnets (private, public and public > secured) to a vlan segmented level 2 switch to take away sniffing capability > from a compromised host (mirrored to the MGMT host for management use). > Will this introduce additional problems? > > Any other caveats? > > Alternate suggestions? > > Thanks. > > Fixed width charcter spacing ASCII map follow: > > POP layout > > ================= Internet > | > | ]--------> to previous POP (RFC1019) > [IRX-211] [IRX-411]--------> to next POP (RFC1918) > | | | > | +--+--------+-------+-------+---- RFC1918 subnet > | | | | | > | [W/P] [R] [PM3] [R] > | | | +--------> ptp > | | Unsecure Customers (public) > | | > | +----------+-- unsecured public subnet > | | > | [W/P] [MGMT] [servers] > | | | > +------+---------+-------+---- secured (public) subnet > | | | > [servers] [PM3] [R] > (secure) | +--------> ptp > Secure Customers (public) > > IRX-211 and PM3 for unsecured network uses minimal filtering > IRX-211 and PM3 for secured network uses maximal filtering > RFC1918 addresses can only be reached from secure subnet > Unsecure customers may use W/P (web proxy) > Secure customers must use W/P > Management from Internet requires first to connect to MGMT host > Management by dialup to directly connected subnet only > > - > To unsubscribe, email 'majordomo@portmasters.com' with > 'unsubscribe portmaster-users' in the body of the message. > List archive: <URL:http://www.portmasters.com/archives/>; > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0112191413480.4776-100000>