medin@NSIPO.NASA.GOV ("Milo S. Medin", NASA ARC NSI Project Office) (01/31/90)
JQ, this behavior falls out of the way OSPF implements variable length subnet support. It could have restricted this, but that would have been restricting something potentially useful. First off, by proper configuration (and this is the default way it works I believe) of areas, you can ensure all the pieces of a subnet must remain in that area, as when you cross an area boundary, you would normally collapse all the subnet routes to network routes. Note that if this was all that was supported by OSPF, people who had large Class A networks would not be able to use multiple areas. So OSPF allows you to collapse that subnet information to some mask that isn't the natural mask of the network number in use. So you could form 'class B'ish' clusters of subnets in areas, and still be able to use the Class A net to wire it all together. I should point out that any regional use of this feature could be set up in a way that would prevent external paths outside an area healing the partition. Just use a seperate area for the campus, and don't allow an non-natural mask collapse to occur. OSPF however does not allow subnet information to come inside from external to the AS, so a regionals subnet partition won't be healed from outside the system, though of course the usual things to reconstitute network reachability could work. Also note that OSPF has a trust model built in to it. Intra-area routes can never be overridden by inter-area routes, which in turn cannot be overridden by external routes. Thus if a subnet is reachable by some internal path, there is no way for someone outside the area to override it. So it's not quite as bad as you think. Also note that there is no reason why the campus and the regional should HAVE to run a common IGP. It has it's advantages and it's disadvantages. I certainly don't see a reason why a campus shouldn't be it's own area. It can run it's own authentication scheme, seperate from what authentication scheme the backbone supports. Remember that OSPF supports authentication too, and most people will want to use this capability. I should point out that people have been screaming for a routing protocol that supports variable length masks for some time. A common case is a site with a large bridged backbone with lots of hosts on it, and several small subnets hung off of it supporting office automation groups, clusters of workstations, appletalk nonsense, etc... So the IETF built a protocol that did! We do listen you know! BTW, I don't think it's really a network management issue, it's just that us oldtimers don't normally think about things like this working. All it takes is some people adjustment. :-) It's been my experience that most people love having new capabilities, even if they have to go find some nails to try them out on... Thanks, Milo