On Fri, 1 Feb 2002 [EMAIL PROTECTED] wrote: > It seems that the only way to make this setup work is to talk a routing > protocol (BGP) between our internal and our external router through the > firewall. > > Is this a safe solution, what are the issues when talking BGP through the > firewall, are there other options to achieve reduncancy?
I'm always hesitant to allow any dynamic routing protocol through a firewall. You end up accepting information you should trust from outside of your trust boundary- that's never a good thing- however BGP sort of works that way by default anyway... The significant thing to worry about is how much pollution you're willing to accept inbound, and how much misdirection you're willing to accept outbound. If the internal routers accept only limited things from the two routers allowed to talk BGP to the borders, and they only accept limited things from your external peers, then you can probably limit things in those three fairly managable zones with BGP filtering. If you're passing full internal and/or full external routing, then you're creating a trust issue that isn't easily solvable. Box-level failure has always worked pretty well for me using equal cost routes through both packet filters (though I tend not to use "firewall" products as packet filters)- when the failing unit goes, then ARP fails and the second gateway takes over- letting the external routers in their own peer group decide which link is preferred gives link failover and best-path routing. What point of failure are you trying to solve by passing BGP inside? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
