RE: Network Availability Failover

Responses inline from a network master. :-)
Well, actually they're from me. The master is away.

> On 7/17/06, Oliver Savage <oliver.savage@gmail.com> wrote:
> Maybe I should spell out what I am doing better. We have
> two ISP's, one is handling us through DHCP, we will call them
> GCISP. The other ISP is our default, they lease us several
> static IP's, and we point at their nameservers, we'll call
> them ACISP. If ACISP goes down I want to move all routing
> both in and out over to GCISP. At such time as ACISP comes
> back up, we move everything back over, this should be "mostly
> seamless" and automated.

Each ISP "owns" the IP space that they're handing out to you.
In other words, there is only one way to get those IP's routed
to you from the big-bad-internet, and that's through that
particular ISP. No other ISP in the world is allowed to
advertise that it can route that packet for you without some
very exciting work in BGP land, but we'll get to that.

> This would be simpler if we only wanted to get out.
> However we want traffic being routed our way to still get to
> us during an outage.
> If this traffic is bound to us via DNS that seems
> straightforward, but what about traffic coming our way via
> ACISP's static IP's?

Trying to update your services IP's via DNS in a timely fashion
is like trying to deliver a package by certified US mail:
you're lucky if you get it even _close_ to when they said they'd
deliver, and it's more likely that you'll be out of the house
and unable to sign for it.

> When I first started looking into doing this someone
> suggested RIP, they also suggested that I should be able to
> broadcast that the "leased IP's" have moved. When I heard
> that my response was, "isn't that spoofing"? It would seem to
> me that the correct approach is to either have an arrangement
> with the ISP, or to use DNS, isn't this just the sort of
> situation that DNS is designed for?

DNS really isn't designed for that sort of thing. Yes, it can
be fudged, but you'll still be at the mercy of everybody's DNS
cache in the rest of the world. How low of a TTL are you willing
to put up with, or rather, your providor?

The statement your informant made about "broadcasting that the IP's
have moved" is exactly correct. The routing protocol, however,
is wrong. Guess what, we're back to BGP! But now, since we're
trying to route IP space _between providors_, you're no longer able
to "lease" the space directly from your favorite ISP's.

You'll need to get ahold of Providor Independent address space, and
that comes from ARIN(.org) and only ARIN. You'll need to figure
out what your minimum requirements are, and submit a request for
the space with enough documentation that they'll okay it. And ARIN
is finicky.

Once you have your PI address space assigned, you'll also be assigned
an Atonomous System number (AS) which is unique to your organization.
Any IP space assigned to your company will be tied to this AS number,
and it's this correlation that makes BGP do it's thing.

Speaking of BGP, you'll now need to go to your ISP's and negotiate
BGP transit agreements with them. Transit, in this case, means that
your providors will send your route updates upstream as they're received,
and not try to "home" them for you; also that your traffic is going to
go through the internet, instead of just locally routed.

You'll probably need to upgrade your router to handle BGP, if you're
using a Cisco box. The nice thing here is that you don't need
the full BGP tables - all you really care about is a 'zeros-route',
or your upstream default gateway. You'll be able to take your
pick from your favorite ISP, or load balance your outgoing traffic.
Your incoming traffic will come back via either of your links, and
odds are you won't be able to effect how they're routed back to you.
This is a good thing, really, as when one of your links is down, the
other will naturally take all of the traffic.

> Seems this could be done using Iptables, with NAT
> masquerading, something to monitor network availability like
> http://www.linux-ha.org/HeartbeatProgram and change dns
> accordingly for all outward facing domain. The only thing
> would be that any services that currently depend on those
> static IP's would be sadly-out-of-luck, and would need to be
> reconfigured to aim at domain names instead.

See above for the DNS PITA that this causes. I did this at
home for my system via cablemodem and DSL. It really never
worked right -- DNS was always behind the times.

> As you may be able to infer I am no network master. It
> would also seem like there could be plenty of poo to step in.
> Like what happens if a user is engaged in filling out a form,
> using a tunnel, etc. So then you need to start proxying, etc,
> etc. Please forgive me for my verbosity.

I'm no network master, but I do have Net Fu. Please note that
everything above is grossly simplified, and should not be used
for real planning purposes.

-- Binary/unsupported file stripped by Ecartis --
-- Type: application/x-pkcs7-signature
-- File: smime.p7s

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jul 18 09:05:29 2006