Re: ATM STM4/OC12 support on RNC's

[Mikael Abrahamsson]

On Fri, 16 Jul 2010, Uri Joskovitch wrote:

I am wondering, do you see in the Wireless Backhaul application, RNC's 
that support in ATM services OC12/STM4 ports? (not only OC3/STM1)


If you need that much capacity, go for GigE instead, you'll be happy for 
it in the long run.



If answer is yes does they support mapping of STS3c only?, STS12c only?,
Or both?


I'm no ATM expert, but I've never seen ATM be anything else than 
concatenated, so I'd say vc-4-4c (STM4) and plain vc4 (STM1).


--
Mikael Abrahamssonemail: swm...@swm.pp.se

ATM STM4/OC12 support on RNC's

[Uri Joskovitch]

Hi All

I am wondering, do you see in the Wireless Backhaul application, RNC's
that support in ATM services OC12/STM4 ports? (not only OC3/STM1)

If answer is yes does they support mapping of STS3c only?, STS12c only?,
Or both?  

Thanks

Uri

Re: Vyatta as a BRAS

[Henry Linneweh]

Edge Router Definition:
 - A term used in asynchronous transfer mode (ATM) networks, an edge router is 
a 
device that  routes data packets between one or more local area networks (LANs) 
and an ATM backbone network, whether a campus network or a wide area network 
(WAN).   An edge router is an example of an edge device and is sometimes  
referred to as a boundary router.  An edge router is sometimes  contrasted with 
a core router, which forwards packets to computer  hosts within a network (but 
not between networks). 


Core Router:
 - A core router is a router that forwards packets to computer hosts within a 
network (but not between networks).  A  core router is sometimes contrasted 
with 
an edge router,  which routes packets between a self-contained network and 
other 
outside  networks along a network backbone. 


Can we get a consensus definition on these definition's and what hardware 
vender's make edge routers and what hardware vender's make core routers.

I think this will make us all, have the same understanding.

-henry





From: Paul WALL 
To: Dennis Burgess 
Cc: nanog@nanog.org
Sent: Thu, July 15, 2010 5:28:44 PM
Subject: Re: Vyatta as a BRAS

On Thu, Jul 15, 2010 at 1:22 PM, Dennis Burgess  wrote:
> RouterOS is a software based router, we have them all over the world as
> CORE and EDGE routers to networks.

You keep using that word ("CORE"). I do not think it means what you
think it means.

Drive Slow, DoS Slower,
Paul Wall

Re: On another security note... (of sorts)

[todd glassey]

 On 7/15/2010 11:40 AM, Michael Holstein wrote:
>> Why is it that network operators can't work together
>> on instances like this and have a "botnet killswitch" 
> Trust (or lack thereof).
If networking tools were designed properly it wouldn't matter...

its about designing tools for the intentional creation of evidence and
rather than arguing with the suits about what is necessary just make
them create a list of evidence aspects and then we implement that.

This isnt complex its about building systems which are better (more
trustworthy) than their operators.

Just my two cents.

Todd Glassey
> Cheers,
>
> Michael Holstein
> Cleveland State University
>
>

Re: Vyatta as a BRAS

[Jared Mauch]

I have that same problem with vendors that insist that there is a core vs 
customer vs peering edge set in networks. If a customer has 10g to a specific 
peer why should one not place them on the same device, ASIC, linecard, usw

Core today means something that is 200g+/slot capable IMHO. Anything else is 
non-core. 

Jared Mauch

On Jul 16, 2010, at 9:28 AM, Paul WALL  wrote:

> On Thu, Jul 15, 2010 at 1:22 PM, Dennis Burgess  
> wrote:
>> RouterOS is a software based router, we have them all over the world as
>> CORE and EDGE routers to networks.
> 
> You keep using that word ("CORE"). I do not think it means what you
> think it means.
> 
> Drive Slow, DoS Slower,
> Paul Wall

Re: [c-nsp] L2VPN with IP address

[Kornelijus Survila]

The multihop BGP solution might be the best one with least overhead;

however you should be able to use a GRE tunnel if you still want to do this:

interface Tunnel1
ip address 10.10.10.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination small.router.ip

interface Tunnel1
ip address 10.10.10.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination big.router.ip

-k

On Thu, Jul 15, 2010 at 7:40 PM, Pshem Kowalczyk  wrote:

> Hi,
>
> I have a situation, where a customer wants a full BGP table
> (persuasion failed already), but is connected to small router (2821),
> with not enough memory to get anywhere near full table.  I have few
> other routers (ASR1K, 7600) that would normally be used for that, but
> are in far-away locations. Of course I can set up a local BGP session
> and then add a multihop one for the full feed, but that doesn't seem
> like an elegant solution any more. All the routers run MPLS, so if I
> could get a xconnect going between one of the bigger boxes and the
> small PE, without actually wasting port on the bigger router (by
> having some sort of logical interface) then I could run the BGP
> session directly. I had a look on Cisco website, but either it's not
> possible or that kind of bridging has a special name that I can't pin
> down. If you've heard of such feature - please let me know.
>
> kind regards
> Pshem
> ___
> cisco-nsp mailing list  cisco-...@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

Re: Vyatta as a BRAS

[Paul WALL]

On Thu, Jul 15, 2010 at 1:22 PM, Dennis Burgess  wrote:
> RouterOS is a software based router, we have them all over the world as
> CORE and EDGE routers to networks.

You keep using that word ("CORE"). I do not think it means what you
think it means.

Drive Slow, DoS Slower,
Paul Wall

Re: First signed root zone published

[Matt Larson]

On Thu, 15 Jul 2010, Matt Larson wrote:
> On Thu, 15 Jul 2010, Matt Larson wrote:
> > [...] was published and began rolling out to the root servers at 1625 UTC.
> 
> Make that 1650 UTC...
> 
> (The perils of staging email.)

Make that 2050 UTC (1650 EDT).

(The perils of a stressful deployment and time zone conversion.)

Re: First signed root zone published

[Matt Larson]

On Thu, 15 Jul 2010, Matt Larson wrote:
> [...] was published and began rolling out to the root servers at 1625 UTC.

Make that 1650 UTC...

(The perils of staging email.)

First signed root zone published

[Matt Larson]

I am pleased to report that the first fully validatable production
signed root zone, with SOA serial number 2010071501, was published and
began rolling out to the root servers at 1625 UTC.

More details to follow in a formal update.

Matt
...on behalf of the root DNSSEC design team

ARIN's Whois-RWS Directory Service Available 17 July

[Mark Kosters]

- Forwarded message from Member Services  -

From: Member Services 
Date: Thu, 15 Jul 2010 16:03:37 -0400
To: "arin-annou...@arin.net" 
Subject: [arin-announce] ARIN's Whois-RWS Directory Service Available 17 July

ARIN is pleased to announce that it will deploy its Whois-RWS service on 
17 July 2010. We have corrected the issues that impacted the first 
release and are now able to bring you the following services that 
provide the general public with access to ARIN's registration data:

* a RESTful Web Service (RWS)
* a NICNAME/WHOIS port 43 service
* a user-friendly web site (http://whois.arin.net)

When using the Whois-RWS you will notice some differences in behavior 
for certain queries and corresponding result sets on the NICNAME/WHOIS 
port 43 service. The detailed documentation on these differences has 
been updated and is now available at:
https://www.arin.net/resources/whoisrws/whois_diff.html

ARIN?s Directory Service for registration data has used the 
NICNAME/WHOIS protocol since its inception. The limitations of the 
NICNAME/WHOIS protocol are well known and documented in RFC3912.
Whois-RWS was created as an alternative to the ARIN Whois and will 
provide much richer functionality and capability to the community.

ARIN continues to welcome community participation on the Whois-RWS 
mailing list, and we invite you to subscribe and share your experience 
and feedback about the new service:
http://lists.arin.net/mailman/listinfo/arin-whoisrws

Regards,


Mark Kosters
Chief Technical Officer
American Registry for Internet Numbers (ARIN)

- End forwarded message -

Re: On another security note... (of sorts)

[Michael Holstein]

> Why is it that network operators can't work together
> on instances like this and have a "botnet killswitch" 

Trust (or lack thereof).

Cheers,

Michael Holstein
Cleveland State University

Re: Vyatta as a BRAS

[Łukasz Bromirski]

On 2010-07-15 19:22, Dennis Burgess wrote:

RouterOS is a software based router, we have them all over the world as
CORE and EDGE routers to networks.


Wonderful, congratulations.

> Some of our hardware can hit multi-gig speeds, BGP etc.

Same can do your competitors.


We commonly replace 7206VXRs.


Sad story, really. And I bet 7200VXRs commonly replace RouterOS.

> Does some other form of DoS attack have an effect on it, sure, but
> as long as you have enough CPU to weather the storm you normally
> don't have major issues.

Sure, a lot of people were at this point of their learning curve,
pretty sure that they will withstand anything with their multi-GHz,
multi-core CPUs. Then they met real world, or as it is often said,
real world met them.

(and I'm all for FreeBSD boxes, don't get me wrong, the whole point
 of this discussion is that either you're doing hardware forwarding
 and you're pretty safe [unfortunately often with a lot of caveats,
 but still], or you're doing software forwarding and you have
 a nice attack vector open for anyone willing)

--
"Everything will be okay in the end.  | Łukasz Bromirski
 If it's not okay, it's not the end." |  http://lukasz.bromirski.net

Re: On another security note... (of sorts)

[Kornelijus Survila]

On Thu, Jul 15, 2010 at 1:03 PM,  wrote:
>
> Hint: Why do many sites refuse to accept automated BGP feeds from Cymru's
> bogon list or RIR services?
>

The same reason many sites don't follow best practices and let spoofed
packets leave their network, etc?

Re: On another security note... (of sorts)

[Valdis . Kletnieks]

On Thu, 15 Jul 2010 13:46:24 EDT, "J. Oquendo" said:

> RFP anyone.. Botnet Mitigation for Networks surely collectively it would
> and CAN work.

A nice idea, but consider if a more automated tool/system was created to
behead a botnet (50,000 null0 routes to blackhole all the nodes? Or accept
collateral damage? etc).  Now consider that jujutsu is designed around using
the opponent's energy against him.

How can this possibly go wrong? :)

Hint: Why do many sites refuse to accept automated BGP feeds from Cymru's
bogon list or RIR services?


pgpRAaNylRBA6.pgp
Description: PGP signature

On another security note... (of sorts)

[J. Oquendo]

While on another list (security list that some of you guys are on) there
is a discussion about a particular botnet that the "BP approach" of
containment is occurring. Not a big deal, we've all seen them from time
to time.

I read with interest on how volunteers are scrambling to contain this
botnet. Mind you, most of us work and do this (security tidbits) at the
same time while we work. Many of us do it for self-satisfaction, for
learning, for maybe naively thinking we can help make the net a better
place (INSERT_SAPPY_SONG_THERE). I just can't help but taking the 50k
foot view here... Why is it that network operators can't work together
on instances like this and have a "botnet killswitch" framework in
order. Now I know I will see the ramblings of "Why should I waste my
time (spend my money)" or "This is not an operational post take a hike"
and other similar posting however, this IS related to 'many-a-networks'
that could be avoided.

RFP anyone.. Botnet Mitigation for Networks surely collectively it would
and CAN work. Is it going to take an act of someone 'pwning' everyone's
account here before someone else says: "We should work together" or will
go in one ear and out the other while misfits run around emptying out
accounts, causing businesses to go under. Some of you guys have the most
amazing minds and have literally been the glue for what we use (the
Internet) and some have been the laziest admins I've seen on the planet.
Surely even a minimal framework to submit "validated" botnet
distribution sites is something everyone can collectively do. Nipping at
the head surely minimizes the overall damage these things are doing.

Now I do know some would come back and state the oft-said "Why bother!
... Dude fast-flux, etc." We know... To those, why respond.  How about
solutions from those who are controlling how traffic on the net flows.



-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

RE: Vyatta as a BRAS

[Dennis Burgess]

RouterOS is a software based router, we have them all over the world as
CORE and EDGE routers to networks.  Some of our hardware can hit
multi-gig speeds, BGP etc.  We commonly replace 7206VXRs.   Does some
other form of DoS attack have an effect on it, sure, but as long as you
have enough CPU to weather the storm you normally don't have major
issues.  

---
Dennis Burgess, Mikrotik Certified Trainer 
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270 Website: http://www.linktechs.net
LIVE On-Line Mikrotik Training - Author of "Learn RouterOS"


-Original Message-
From: Joe Greco [mailto:jgr...@ns.sol.net] 
Sent: Wednesday, July 14, 2010 10:18 AM
To: Dobbins, Roland
Cc: NANOG list
Subject: Re: Vyatta as a BRAS

> On Jul 14, 2010, at 5:45 AM, Joe Greco wrote:
> > That's just a completely ignorant statement to make.
> 
> It's based on a great deal of real-world experience; I'm sorry you
consider=
>  that to be 'ignorant'.

You're speaking to someone who has extensive experience with "software"
based routers, and you're failing to acknowledge the upsides of such an
architecture, when I've already conceded the upsides of a hardware
architecture.

> >  I notice in particular how carefully you qualify that with "[w]hen
BCPs =
> are=20
> > followed"; the fact that hardware router manufacturers have declared
> > everything and anything that derails their bullet trains as "not a
> > BCP" is a perfect example of this deceptive sort of misinformation.
> 
> Anti-spoofing, iACLs, CoPP (or its equivalent on non-Cisco platforms),
et. =
> al. aren't 'misinformation'.  They're useful, proven
techniques/features wh=
> ich any operator ought to implement.

The things that any given use scenario ought to implement are highly
dependent on the actual application.

> > There are plenty of FreeBSD based devices out there that are passing
> > tons of traffic; almost any of them are more competent than any
Cisco
> > router I'm aware of when hitting them directly with traffic
> 
> Then your experience of Cisco routers (and/or those from other
vendors) mus=
> t be limited to the lower-end platforms; I can assure you that faster
Cisco=
>  boxes such as ASRs, GSRs, CRSes, and so forth are in another league
entire=
> ly, and can handle mpps of to-us traffic, when properly configured.
Softwa=
> re-based routers simply can't do that; it's not an indictment of them,
it's=
>  just that they aren't suited to purpose, just as station wagons
generally =
> aren't to be found in the Indy 500.

So your solution is to keep throwing heavier hardware at the problem
until
it works.  Okay, I see that.  Now, let me quote from a different
message:

> If maintaining availability is important, then hardware-based
(semantic
> hairsplitting aside) devices are a requirement.

The truth is that you can keep throwing CPU at a problem as well.  I can
size a software based router such that it can remain available.

This is neither new nor exciting technology.  Luigi Rizzo was doing
extensive work on this about a decade ago: he took an Athlon 750
platform
with 4 100Mbit ethernet interfaces in it (Athlon 750 = 1999 tech) and
was
able to exceed 100Mbps levels without a problem.  The UNIX based
platforms
have extensive capabilities to defend against attack, even without a
firewall.  As with a hardware based platform, there are both good things
and bad things you can do that will impact availability.

Software based platforms have an incredible edge in areas that hardware
based platforms don't, including capex and the ability to find
replacement
parts after a disaster.  I spent some time after the Haiti quake getting
FreeBSD-based routers up and running, a task made easier because it's a
lot easier to find a working PC and scavenge some network cards than it
is
to find a working Cisco router in a city where all inbound and outbound
transportation is paralyzed.

You can continue to defend your position, of course, but it's just
looking
a bit silly.  A wise engineer knows that there are several ways to
tackle
any task, and "one tool for every job" is not a sound policy.

If you'd like to revise your position to "Cisco and Juniper software
based
solutions are underpowered PoS", that's probably a defensible position,
and you won't get any argument from me.  Please don't generalize such a
position into all software based devices, though.  Overall, there are a
lot more software based routers out there than hardware based devices.
Your cablemodem, your ADSL modem, your wifi access point, all these are
probably software based devices.  Some of them will melt under a
too-great
load.  Some won't.  This is a function of many different factors.  There
is nothing inherent in a software-based device that's going to make it
fail under load - just as there's nothing inherent in a hardware-based
device that's going to make it succeed (which is why you have to qualify
your defense of these wit

Re: [Bruce Hoffman] Thank-you for your recent participation.

[Nick Boyce]

On Mon, Jul 12, 2010 at 4:08 AM, Jay Hennigan  wrote:
> On 7/10/10 7:26 AM, Nick Boyce wrote:
>
>> I tend to assume that when I get an email allegedly from Company A
>> (Internap) but actually sent by Company/Domain B (iContact), inviting
>> me to enter all kinds of sensitive information about my organisation's
>> operations into a "survey" hosted at Domain C (Zoomerang) ... then
>> I'm being socially engineered by a Bad Guy, and I just press "delete".
[...]
> Rather than JHD (just hit delete) please try to reach out to someone
> with technical clue at Company A or their upstream.

Actually I _do_ do that quite a lot  much to the amusement of some
colleagues who think I complain too much.  I'm quite used to
contacting abuse@ and security@ teams anyway, so I often just treat
these emails as a security issue, and forward them to
secur...@companya stating

   "Someone is sending email claiming to be from your
   company but it looks as if they're actually a completely
   different organisation. You may want to look into this
   as a possibly fraudulent activity against your employer.
   If however these emails are genuine then my apologies
   for wasting your time, but you may wish to forward my
   email to the relevant marketing department, pointing
   out how ineffective their campaign will be, due to the
   number of recipients who will treat it as a scam."

However, as I'm sure you will have found, this often results in either
(a) no response, or (b) a tedious, painful response dialog with
various Company A staff who just don't get it. Only rarely do you get
to talk to Someone With A Clue who gets the required policy changes
implemented.

>> I do this, even when Company A is a big well-known company (e.g. Sun
>> ... it's happened)
>
> Sun giving away Dell laptops?  O RLY?

[grin]  no, in their case it was a free iPod as I recall ...
wouldn't have minded one of those, except that they won't play OGG
media.

> Shaming them is IMHO more effective, although it takes more work.

Trouble is, they're almost always outsourcing their campaigns, as part
of the western world's obsession with cost cutting by eliminating
in-house staff.  The MBA whizz-kids who dream it up just won't listen
to anything but bottom line.  "Incorrect domain name on the sender
address ?", they say, "... I'm afraid I don't see the significance.
I'm telling you now that ACME Mailshot Campaigns And Surveys Inc. is
fully authorised by us". [subtext: my bonus depends on the resulting
"savings"]

But yes, as and when I can bear it, I do what you suggest.

Keep the faith,
Nick
-- 
/* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }

Re: A question for the house and the moderators (was Re: Vyatta as a BRAS)

[Dobbins, Roland]

On Jul 15, 2010, at 11:43 PM, Larry Sheldon wrote:

> A democracy is two wolves and a lamb voting on what to have for dinner.


Under the assumption that I'm meant to be fulfilling the role of the lamb, I 
know when I'm outvoted, heh.  This topic is obviously past its shelf-life.

;>

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

A question for the house and the moderators (was Re: Vyatta as a BRAS)

[Larry Sheldon]

Oops--itch trigger finger


[a round of the on-going and growing tedious micturation tournament]

Is this squalling fest really more "operational" than a conversation
dealing with a disabling spam attack?

Really?

-- 
Somebody should have said:
A democracy is two wolves and a lamb voting on what to have for dinner.

Freedom under a constitutional republic is a well armed lamb contesting
the vote.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

A question for the house and the moderators (was Re: Vyatta as a BRAS)

[Larry Sheldon]

On 7/15/2010 11:39, Dobbins, Roland wrote:
> 
> On Jul 15, 2010, at 11:33 PM, Joe Greco wrote:
> 
>> Provided with a counterexample where this isn't true, you simply ignore it.
> 
> 
> I've yet to see a counterexample involving a software-based edge router in a 
> realistic testbed environment being deliberately packeted in order to cause 
> an availability hit - apologies if I've missed one, mind.
> 
>> Your arguments revolve around "My Ford Pinto's gas tank once exploded on me 
>> and it happened to other people too, therefore all inexpensive cars have 
>> unsafe gas tanks."
> 
> Actually, it's more along the lines of, "I've seen multiple accidents 
> involving multiple brands/models of economy-class automobiles in which the 
> passengers were grievously-injured or worse, while also having observed 
> passengers walking away from similar accidents in similar circumstances 
> involving heavier, more sturdily-built vehicles."
> 
> ---
> Roland Dobbins  // 
> 
> Injustice is relatively easy to bear; what stings is justice.
> 
> -- H.L. Mencken
> 
> 
> 
> 
> 


-- 
Somebody should have said:
A democracy is two wolves and a lamb voting on what to have for dinner.

Freedom under a constitutional republic is a well armed lamb contesting
the vote.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

Re: Vyatta as a BRAS

[Dobbins, Roland]

On Jul 15, 2010, at 11:33 PM, Joe Greco wrote:

> Provided with a counterexample where this isn't true, you simply ignore it.


I've yet to see a counterexample involving a software-based edge router in a 
realistic testbed environment being deliberately packeted in order to cause an 
availability hit - apologies if I've missed one, mind.

> Your arguments revolve around "My Ford Pinto's gas tank once exploded on me 
> and it happened to other people too, therefore all inexpensive cars have 
> unsafe gas tanks."

Actually, it's more along the lines of, "I've seen multiple accidents involving 
multiple brands/models of economy-class automobiles in which the passengers 
were grievously-injured or worse, while also having observed passengers walking 
away from similar accidents in similar circumstances involving heavier, more 
sturdily-built vehicles."

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: Vyatta as a BRAS

[Joe Greco]

> On Jul 15, 2010, at 10:23 PM, Joe Greco wrote:
> > For example, for a provider whose entire upstream capacity is 1Gbps, I ha=
> ve a hard time seeing how a Linux- or FreeBSD-based box could credibly be c=
> laimed not to be a suitable edge router.
> 
> Because it can and will be whacked quite easily by anyone who packets it, e=
> ither deliberately or inadvertently.  I've seen too many software-based rou=
> ters fall over with far, far less traffic than 1gb/sec to think otherwise.

You seem to be off in your own little world.  Provided with a 
counterexample where this isn't true, you simply ignore it.  Your
arguments revolve around "My Ford Pinto's gas tank once exploded on me
and it happened to other people too, therefore all inexpensive cars have
unsafe gas tanks."

The sad reality is that any gas tank can be ruptured and can be made to
explode, but concluding that this is limited to inexpensive cars is a
silly conclusion.  The fact of the matter is that a /poorly engineered/
gas tank is much more prone to problems, whether it's in an inexpensive
car or a high end one.

You're drawing poor conclusions based on even poorer reasoning.  Your
negative experience with some software routers does not mean that they
are all crap, just as my negative experience with some hardware routers
does not mean that they are all crap.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Vyatta as a BRAS

[Dobbins, Roland]

On Jul 15, 2010, at 11:01 PM, Cian Brennan wrote:

> I'm almost certain they're not the uses that Roland is saying that software
> routers are entirely unsuited for.

Correct - I'm talking about SP (and even enterprise) edge routers.  I've seen 
as little as a few hundred kpps totally hose Cisco 7200s, boxes running 
Zebra/Quagga, and so forth.

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: Vyatta as a BRAS

[Cian Brennan]

On Thu, Jul 15, 2010 at 11:54:39AM -0400, Bill Bogstad wrote:
> On Thu, Jul 15, 2010 at 11:35 AM, Dobbins, Roland  wrote:
> >
> > On Jul 15, 2010, at 10:23 PM, Joe Greco wrote:
> >
> >> For example, for a provider whose entire upstream capacity is 1Gbps, I 
> >> have a hard time seeing how a Linux- or FreeBSD-based box could credibly 
> >> be claimed not to be a suitable edge router.
> >
> > Because it can and will be whacked quite easily by anyone who packets it, 
> > either deliberately or inadvertently.  I've seen too many software-based 
> > routers fall over with far, far less traffic than 1gb/sec to think 
> > otherwise.
> 
> Since you've seen "many software-based routers fall over", can you
> provide details on specific hardware/software/traffic patterns/rates
> where you've seen these failures?   From what I can tell, software
> based routers are almost universally used in SOHO environments; so it
> would be nice to know when such solutions are no longer viable in your
> experience.
> 
SOHO environmnents aren't normally targets of DOS attacks. And if they are,
their pipes are probably small enough to be easily filled with far less
difficulty than making the router fall over.

I'm almost certain they're not the uses that Roland is saying that software
routers are entirely unsuited for.

> Thanks,
> Bill Bogstad
> 
> 

Re: Vyatta as a BRAS

[Bill Bogstad]

On Thu, Jul 15, 2010 at 11:35 AM, Dobbins, Roland  wrote:
>
> On Jul 15, 2010, at 10:23 PM, Joe Greco wrote:
>
>> For example, for a provider whose entire upstream capacity is 1Gbps, I have 
>> a hard time seeing how a Linux- or FreeBSD-based box could credibly be 
>> claimed not to be a suitable edge router.
>
> Because it can and will be whacked quite easily by anyone who packets it, 
> either deliberately or inadvertently.  I've seen too many software-based 
> routers fall over with far, far less traffic than 1gb/sec to think otherwise.

Since you've seen "many software-based routers fall over", can you
provide details on specific hardware/software/traffic patterns/rates
where you've seen these failures?   From what I can tell, software
based routers are almost universally used in SOHO environments; so it
would be nice to know when such solutions are no longer viable in your
experience.

Thanks,
Bill Bogstad

Re: Vyatta as a BRAS

[Dobbins, Roland]

On Jul 15, 2010, at 10:23 PM, Joe Greco wrote:

> For example, for a provider whose entire upstream capacity is 1Gbps, I have a 
> hard time seeing how a Linux- or FreeBSD-based box could credibly be claimed 
> not to be a suitable edge router.

Because it can and will be whacked quite easily by anyone who packets it, 
either deliberately or inadvertently.  I've seen too many software-based 
routers fall over with far, far less traffic than 1gb/sec to think otherwise.

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: Vyatta as a BRAS

[Joe Greco]

> I briefly browsed the links and I didn't see any traffic profiles included.
> 
> If you are talking about pushing x mbps with no specifics and/or general 
> traffic, I think most of us agree you can do that easily and probably 
> consistently without any issues.  And for some icing, you may even do it at 
> <90% average CPU util.  Does that mean it should be an edge device at any 
> service provider?  No.  Some?  Sure.

Those last two words are the point I've been trying to make.  If you'll
recall, Roland said flat out that that wasn't the case.

> Can you point to any specific tests of attack vectors and/or traffic 
> profiles with: CPU utilization, packet loss levels and pps/mbps/etc data? 

Not without doing the work; I have no plans to do the work for free just
to prove a point on NANOG.  I have Real Work to do.

> The reason I ask is that Roland is in a specific business and has a specific 
> point.

Sure, and I'm making the point that this point isn't universally true in
the way Roland would like to paint it.

> As a side, were those 2 VMs on the same box?  That traffic out on the wire? 
> What's the traffic profile?

Yes, no (just between vm's), just sheer UDP blasting of both the vservers
from the other (mutual attack) with ports both closed and opened.  Since
Roland's point seems to be that the availability of the platform is
impacted by an attack on the control plane (in this case, for all
reasonable intents and purposes, that would appear to be the host OS's
addresses), I didn't really feel it necessary to get particularly
complicated, and just tested the control plane availability theory.

My point is that a randomly created *virtual* machine can absorb a 
>100Mbps attack on it at minimum packet size without blinking, while
simultaneously delivering such an attack, in the spare CPU cycles of
a vm host that has dozens of hosts on it.  It's meant to suggest that
what Roland is selling includes a healthy dose of FUD; I, on the other
hand, am happy to concede that at a certain point, the hardware stuff
is going to be more effective.  It'd be nice if Roland could concede
that software-based routers have some advantages and some reasonable 
use profiles.

For example, for a provider whose entire upstream capacity is 1Gbps, I
have a hard time seeing how a Linux- or FreeBSD-based box could credibly
be claimed not to be a suitable edge router.

The problem with Roland's statement is its absoluteness; I have a much
easier side to argue, since I merely need to explain one case where the
use profile does not result in failure, and there are many to choose
from.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.