From owner-freebsd-isp Wed Dec 19 8:53:46 2001 Delivered-To: freebsd-isp@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 2136537B405 for ; Wed, 19 Dec 2001 08:53:40 -0800 (PST) Received: from savvyd (c3-1a119.neo.rr.com [24.93.230.119]) by lily.ezo.net (8.11.3/8.11.3) with SMTP id fBJGtuN08712; Wed, 19 Dec 2001 11:55:56 -0500 (EST) Message-ID: <013b01c188ad$ea3bc570$22b197ce@ezo.net> From: "Jim Flowers" To: , Subject: Infrastructure Design with Portmasters and FreeBSD/Zebra (long) Date: Wed, 19 Dec 2001 11:55:06 -0500 Organization: EZNets, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Our current ISP infrastructure has a head-end connection to the Internet and a number of remote POPs at the end of point-to-point connections. The Internet routers are IRX-211s and the pop-connecting routers are IRX-114s. Customer connections at the pops include dialup via PM3s and point-to-point dedicated via fbsd routers. 5 subnetted class C address blocks are used including /30 on the numbered point-to-point links. Routing is ospf (Zebra-0.92a on fbsd). Additional Internet sources are being added to several of the POPs using BGP routing as are some inter-pop telecom links with ospf. I am considering renumbering all of the interior (to the Internet) infrastructure subnets to RFC1918 private addresses, primarily to promote security but also to reclaim public addresses. Customers, both dialup and dedicated, would still have public addresses routed by ospf over the RFC1918 infrastructure to allow full access to Internet services. Local servers that require access to the Internet connections would have public addresses on their own network allowing connections to the Internet via the RFC1918 infrastructure. Customers would also have the option to connect via a secured public subnet. I question that a PM3 with a private Ethernet interface and a public assigned address pool will work. I think connections would just be routed by ospf instead of proxy arp so it would be OK. Is this correct? This layout also relies on a web proxy (squid) host with a secondary public address on the RFC1918 subnetwork to allow http connections to Internet hosts and other cache servers. Eliminates loading router to unsecured public subnet that would result if the web proxy host were placed there. Seems a compromise to the concept though explicit filtering at the IRX-211 could minimize the vulnerability. Opinions? I am also thinking of connecting all 3 subnets (private, public and public secured) to a vlan segmented level 2 switch to take away sniffing capability from a compromised host (mirrored to the MGMT host for management use). Will this introduce additional problems? Any other caveats? Alternate suggestions? Thanks. Fixed width charcter spacing ASCII map follow: POP layout ================= Internet | | ]--------> to previous POP (RFC1019) [IRX-211] [IRX-411]--------> to next POP (RFC1918) | | | | +--+--------+-------+-------+---- RFC1918 subnet | | | | | | [W/P] [R] [PM3] [R] | | | +--------> ptp | | Unsecure Customers (public) | | | +----------+-- unsecured public subnet | | | [W/P] [MGMT] [servers] | | | +------+---------+-------+---- secured (public) subnet | | | [servers] [PM3] [R] (secure) | +--------> ptp Secure Customers (public) IRX-211 and PM3 for unsecured network uses minimal filtering IRX-211 and PM3 for secured network uses maximal filtering RFC1918 addresses can only be reached from secure subnet Unsecure customers may use W/P (web proxy) Secure customers must use W/P Management from Internet requires first to connect to MGMT host Management by dialup to directly connected subnet only To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message