Re: Routers in Data Centers
But it seems, that NetFPGA has not enough memory to hold a full view (current 340k routes). It's just a development platform for prototyping designs, not something you would use in production... I want to use it to implement and test ideas that I have, and play with some different forwarding architectures, not use it as a final product :) also, does a datacenter router/switch need a full table? isn't that the job of the peering/transit routers in your scheme? In my small network the datacenter router is also the peering/transit router.
Re: Online games stealing your bandwidth
On 9/25/2010 6:47 PM, Adrian Chadd wrote: I don't recall any protocols being standard. I don't either, though I recall bittorrent actually supporting it once and pushing to have ISP support and stay away from encryption/ISP circumvention. That was years ago. Haven't stayed current. Plenty of people sell p2p caches but they all work using magic, smoke and mirrors. Seem to recall some law suits concerning a few of them. Even if we had ISP supporting caches, there is always the problem getting p2p clients to support them (given they often are too busy trying to circumvent). A good standard would be nice, though, and at least offer a middle ground for trying to get support for such technology as well as pushing it back to open source, legitimate caching vs lying to p2p clients, and solving many issues that pop up from time to time of upstreams not supporting the downstream loads, which a cache could heavily alleviate. Jack
Re: Randy in Nevis
On Mon, 27 Sep 2010 09:30:06 PDT, Lyndon Nerenberg said: I've heard from a couple of people that the PIX will remap 587 (and 25) to oddball ports if you fiddle the config just right. Given all the other bogosity that box does with SMTP I wonder if there's truth to the rumour. (I haven't found anyone who can reproduce this on demand, so it's still apocryphal for now.) I've heard some people say that reproducing totally compliant SMTP behavior on those boxes on demand is apocryphal as well. :) (I have to admit I haven't actually tracked a user complaint down to a misbehaving PIX in a year or two, but I can't say if the software has gotten better or if its market share is just small enough to fly under my radar - the type of people who send e-mail from behind a PIX don't interact with my users all that often) pgpKQ9MH0GX61.pgp Description: PGP signature
Re: Online games stealing your bandwidth
On Mon, 27 Sep 2010 17:44:37 BST, Leigh Porter said: We had a great P2P cache from Cache Appliance. Did anybody else try them? Can you say anything about what size cache it was, and what amount of bandwidth savings it produced? pgpHbKjlAd43Z.pgp Description: PGP signature
RE: Mobile Operator Connectivity
With the assumption that you will have a wired backhaul to your HQ over which the retail access-layer devices connect to commerce servers, make sure that the wireless carrier's gateways to their wired network (where the wired backhaul is connected to) are geographically well-dispersed such that wireless access traffic from (for example) suburban Los Angeles destined for a Los Angeles HQ data center, does not traverse the US back to the east coast before it enters the carrier's wired backbone. Surprisingly, some large wireless carriers appear to think that 2 continental traversals for each packet is an acceptable network design. I have experienced round trip latency between sites 50 miles apart measured at 750-1500 milliseconds when using GSM/CDMA wireless as the access layer method. The key is to ask the wireless carrier where the network-to-network interfaces between the wireless and wired backbone networks are located, and moreover, how many interfaces are there. Some large wireless carriers have a single wireless/wired gateway for the entire US! -Original Message- From: Leo Woltz [mailto:leo.wo...@gmail.com] Sent: Saturday, September 25, 2010 1:37 PM To: nanog@nanog.org Subject: Mobile Operator Connectivity I am looking for some guidance from the list. We will soon be deploying wireless payment devices (CDMA/GSM). We are looking at options on where to locate the servers that will run the backend payment gateways; we would like the least amount of latency between the servers and the wireless networks as possible. The wireless networks we will be deploying the devices on are: ATT Wireless Verizon Wireless Sprint PCS Rogers Wireless Bell Mobility Telus Mobility Vodafone I was thinking we have a few options, to try and peer with the wireless networks directly, buy bandwidth from networks that are directly peered with the wireless operators or the Global Roaming Exchange Peering service that Equinix runs but I have not been able to find out much more then what is on Equinix's public web site. We also have a need to peer with PayPal and Amazon. I welcome the lists comments and recommendations.
Re: Software-based Border Router
On Sun, 2010-09-26 at 21:45 -0500, Chris Adams wrote: Yeah, because IOS and JUNOS don't have idiosyncrasies. :-) Not gonna argue with you on that one. However, the world has changed since the days where the chances of clueful unix systems engineering knowledge and clueful BGP routing knowledge was highly guaranteed to be found cohabitating in a single lifeform. You are far more likely to find that relatively speaking most network engineers have very little knowledge in unix systems engineering. This list may be an exception but I would gather that the bulk of the network engineering workforce are little more than power users (if that) when it comes to operating systems. -- /*=[ Jake Khuon kh...@neebu.net ]=+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| NETWORKS | +==*/
RE: Randy in Nevis
-Original Message- From: Lyndon Nerenberg [mailto:lyn...@orthanc.ca] Sent: Monday, September 27, 2010 9:30 AM To: nanog@nanog.org Subject: Re: Randy in Nevis On 10-09-27 7:20 AM, Robert E. Seastrom wrote: Cannot establish SSL with SMTP server 67.202.37.63:465 does not sound like a 587 problem to me. netalyzr folks? comment? Sorry, I hit send too soon ... I've heard from a couple of people that the PIX will remap 587 (and 25) to oddball ports if you fiddle the config just right. Given all the other bogosity that box does with SMTP I wonder if there's truth to the rumour. (I haven't found anyone who can reproduce this on demand, so it's still apocryphal for now.) Static (inside,outside) tcp outside ip 25 inside ip 65535 Access-list outside_acl permit tcp any any eq 25 No fixup smtp That will redirect port 25 to port 65535, allow port 25 through the firewall, and remove the fixup that changes the server banner to *, which breaks most mail communications. Regards, Mike
Re: Online games stealing your bandwidth
On Mon, 27 Sep 2010 19:27:28 BST, Brandon Butterworth said: I fail to see the point. If an ISP needs to add caches they may as well just add a simple, cheaper, standard, http cache. It's a bang-per-buck issue, and depends highly on whether your particular network sees more HTTP or P2P traffic. If HTTP is 60% of your traffic, an http cache makes sense. If P2P is 70% and HTTP is 20%, it probably doesn't make sense. And the only numbers that matter here are what *you* measure at the point you intend to install the cache - I've seen so many conflicting numbers for different parts of the net that no firm conclusions can be drawn. pgpD78MNFc2Dd.pgp Description: PGP signature
Re: Online games stealing your bandwidth
I fail to see the point. If an ISP needs to add caches they may as well just add a simple, cheaper, standard, http cache. It's a bang-per-buck issue, and depends highly on whether your particular network sees more HTTP or P2P traffic. Orly. No, I mean if there have to be caches why use p2p in the first place, once there's a network of caches p2p becomes a more complicated http and that model has been well optimised by some. I know the people stealing things don't want to pay akamai but games charging for access are a different matter. brandon
Re: Online games stealing your bandwidth
On 27 Sep 2010, at 20:54, Brandon Butterworth wrote: I fail to see the point. If an ISP needs to add caches they may as well just add a simple, cheaper, standard, http cache. It's a bang-per-buck issue, and depends highly on whether your particular network sees more HTTP or P2P traffic. Orly. No, I mean if there have to be caches why use p2p in the first place, once there's a network of caches p2p becomes a more complicated http and that model has been well optimised by some. I know the people stealing things don't want to pay akamai but games charging for access are a different matter. brandon I agree but it isnt the SP who drives P2P use, its the users.. So whilst they use it, networks kind of have to make it work. We used the P2P cache for a very specific reason. We had a wireless uplink constrained network and the P2P cache cached users uplink traffic and served it from the cache, saving us about 50% up our P2P uplink load. -- Leigh Porter
Re: Mobile Operator Connectivity
On 9/25/2010 13:37, Leo Woltz wrote: I am looking for some guidance from the list. We will soon be deploying wireless payment devices (CDMA/GSM). We are looking at options on where to locate the servers that will run the backend payment gateways; we would like the least amount of latency between the servers and the wireless networks as possible. The wireless networks we will be deploying the devices on are: Sprint PCS For Sprint you can get a circuit to AS1239 and just take customer routes. Their PCS network is AS10507, but as far as I know the closest you can get to it is 1239. ~Seth
Re: Online games stealing your bandwidth
On 9/27/2010 2:54 PM, Brandon Butterworth wrote: No, I mean if there have to be caches why use p2p in the first place, once there's a network of caches p2p becomes a more complicated http and that model has been well optimised by some. It's a redundancy factor. By participating in a p2p network as a cache, and even feeding clients information which would be important to them (ie, I'm actually better than your neighbor's house). p2p can be optimized. A p2p cache generally wouldn't cache items which don't have repeatability, so there would probably need to be multiple hits for the cache to grab the data. The cache itself would use p2p to obtain it's copy, providing information to it's clients even as the current clients and the cache server are both pulling from remotes. At no point should you consider such a caching solution to equate to a standard http cache. A proper standardized p2p cache shouldn't just be about caching information for local clients, but should also be about giving clients additional information to optimize them. Clients who are seeding information should be able to inform the cache of such, and should enough traffic be involved, the cache itself should be able to pull the necessary information and start providing to remotes instead of the client, so long as the client shows it's seeding (ie, client is seeding, but actually isn't transferring data since the cache is announcing it will on behalf of the client). This would, of course, not drop the overall outbound p2p traffic from an ISP at it's core, but could reduce last mile bandwidth while still participating as necessary. It meets the legal caching framework, as if the client stops providing, the cache will stop providing. Such a solution, of course should still maintain a hey, IP x seeding, but cache at IP y has the data (similar to proxy headers, but this works in a cloud which complicates it a bit) to meet any dmca tracking issues or ISPs will run from the legal nightmare. Jack
RE: Software-based Border Router
We have looked at using open source routers for our border, but in the end we cannot make the numbers add up. Once Cisco released the x9xx ISR2 routers, the x8xx have tanked in price on the used market. So, for about the same as a vyatta router running on newer hardware that you can trust you can get a 28xx or 38xx. If you also want support, Cisco will support these at less than $100/month and that gets you access to the IOS upgrades and a 4 hr. replacement window. I know I sleep better knowing Cisco will drop off a router in less than 4 hours if one of mine fails. Dylan -Original Message- From: Nathanael C. Cariaga [mailto:nccari...@stluke.com.ph] Sent: Sunday, September 26, 2010 4:42 AM To: nanog@nanog.org Subject: Software-based Border Router Hi All! Just want to ask if anyone here had experience deploying software-based routers to serve as perimeter / border router? How does it gauge with hardware-based routers? Any past experiences will be very much appreciated. I wanted to know because we've been asked if we want to assume full control of the internet link (up to the router). By assuming control up to the router, we still want to configure iBGP with our parent network so that we can take advantage of some routes available to the parent network's gateway. The saddest part is presently we do not have the router to serve as our gateway this is why we are considering the use of software-based routers. Thank you.
Re: Software-based Border Router
We use a mix of software and hardware based routers, have found little difference between the two platforms in terms of performance and stability. Our software base routers are serving a couple 100Mbps upstream links running on some HP Proliants with dual PS and dual HD's that we picked up on ebay for a $150 then loaded Quagga on them. I actually have to give a little bit of a edge to the Linux based systems only because of all the all the other wealth of diagnostics/troubleshooting tools one gets with Linux in general...Its nice to be able to run Wireshark right on the systems if we need too. As for troubleshooting, I've found the Quagga mailing list to be just as responsive (if not more responsive at times) as Cisco, but clearly your mileage will vary there. Bret On 09/27/2010 04:59 PM, Dylan Ebner wrote: We have looked at using open source routers for our border, but in the end we cannot make the numbers add up. Once Cisco released the x9xx ISR2 routers, the x8xx have tanked in price on the used market. So, for about the same as a vyatta router running on newer hardware that you can trust you can get a 28xx or 38xx. If you also want support, Cisco will support these at less than $100/month and that gets you access to the IOS upgrades and a 4 hr. replacement window. I know I sleep better knowing Cisco will drop off a router in less than 4 hours if one of mine fails. Dylan -Original Message- From: Nathanael C. Cariaga [mailto:nccari...@stluke.com.ph] Sent: Sunday, September 26, 2010 4:42 AM To: nanog@nanog.org Subject: Software-based Border Router Hi All! Just want to ask if anyone here had experience deploying software-based routers to serve as perimeter / border router? How does it gauge with hardware-based routers? Any past experiences will be very much appreciated. I wanted to know because we've been asked if we want to assume full control of the internet link (up to the router). By assuming control up to the router, we still want to configure iBGP with our parent network so that we can take advantage of some routes available to the parent network's gateway. The saddest part is presently we do not have the router to serve as our gateway this is why we are considering the use of software-based routers. Thank you.
Re: Software-based Border Router
I haven't found that to be the case. The larger memory space available to the kernel allows for larger BGP tables and filtering tables. I've seen BSD based systems running thousands of concurrent tunnels and the processors available in the linux/BSD space bury anything that the router manufacturers are overcharging you for. A properly planned upgrade or addition of a card should take a maximum of 15 minutes as everything should be plug and play. Some of the software based systems also come from the manufacturer with the hardware. If the network is configured properly with failover capabilities and only one unit down at a time, down time is minimal or non existent. Software upgrades happen in a matter of minutes. Cheers, --Curtis Another big problem for Linux/Unix-based routers of this size/cost is upgrade-ability. If you need to add cards, you are going to have to bring the router down for extended periods. Likewise, a software upgrade can be a bigger deal than on a purpose designed router. If a router is mission critical, Linux/Unixed-based has issues over extended periods. regards, Fletcher On Sun, Sep 26, 2010 at 4:35 PM, William Herrin b...@herrin.us wrote: On Sun, Sep 26, 2010 at 6:15 AM, Nathanael C. Cariaga nccari...@stluke.com.ph wrote: Thank you for the prompt response. Just to clarify my previous post, I was actually referring to Linux/Unix-based routers. We've been considering this solution because presently we don't have any budget for equipment acquisition this year. What's your time worth? Quagga on Linux is a fine software, but messing with the idiosyncrasies is far more time consuming than buying a Cisco 2811, adding enough RAM to handle BGP, configuring it once and forgetting about it. Also bear in mind that while your ISP's engineers can help you configure your Cisco router, Quagga is a mystery to them. You can still get help... but not from someone who also knows how the ISP's network is configured. This is not a problem if you have lots of experience with BGP routing. Do you? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- Fletcher Kittredge GWI 8 Pomerleau Street Biddeford, ME 04005-9457 207-602-1134
Re: Software-based Border Router
Do jitter sensitive applications have problems at all running? What would you say is the point at which people should be looking for a hardware forwarding solution? Differences: - Hardware forwarding - Interface options - Port density - Redundancy - Power consumption - Service Provider stuff - MPLS TE? VPLS? VRF?? Any others?
Re: Software-based Border Router
Oh, support contract!!? Differences: - Hardware forwarding - Interface options - Port density - Redundancy - Power consumption - Service Provider stuff - MPLS TE? VPLS? VRF?? Any others?
EFF needs your help to stop the Senate's DNS censorship bill
Dear network operators, I apologise for a posting that contains some politics; I hope you'll agree that it also has fairly substantial short-to-medium term operational implications. As you may or may not have heard, there is a censor-DNS-to-enforce-copyright bill that is going to be passed by the Senate Judiciary Committee this Wednesday. It will require service providers to censor the DNS entries of blacklisted domains where piracy is deemed too central to the site's purpose. Senators are claiming that they haven't heard any opposition to this bill, and it is being sponsored by 14 of the 19 committee members. We believe it needs to be stopped, and we need your help. What EFF needs right now is sign-ons to an open letter, from the engineers who helped build the Internet in the first place. The text of our letter is below. If you agree with it and would like to sign, please send me an email at p...@eff.org, with your name and a one-line summary of what part of the Internet you have helped to design, implement, debug or run. This is URGENT. I need your sign-ons by 4:00pm, US Eastern time (1pm Pacific), tomorrow. Unfortunately, the civil liberties community has been ambushed by this bill. You can find out more details on the bill here: https://eff.org/coica --- Open letter from Internet engineers to members of the Senate Judiciary Committee: We, the undersigned, have played various parts in building a network called the Internet. We wrote and debugged the software; we defined the standards and protocols that talk over that network. Many of us invented parts of it. We're just a little proud of the social and economic benefits that our project, the Internet, has brought with it. We are writing to oppose the Committee's proposed new Internet censorship and copyright bill. If enacted, this legislation will risk fragmenting the Internet's global domain name system (DNS), create an environment of tremendous fear and uncertainty for technological innovation, and seriously harm the credibility of the United States in its role as a steward of key Internet infrastructure. In exchange for this, the bill will introduce censorship that will simultaneously be circumvented by deliberate infringers while hampering innocent parties' ability to communicate. All censorship schemes impact speech beyond the category they were intended to restrict, but this bill will be particularly egregious in that regard because it causes entire domains to vanish from the Web, not just infringing pages or files. Worse, an incredible range of useful, law-abiding sites can be blacklisted under this bill. These problems will be enough to ensure that alternative name-lookup infrastructures will come into widespread use, outside the control of US service providers but easily used by American citizens. Errors and divergences will appear between these new services and the current global DNS, and contradictory addresses will confuse browsers and frustrate the people using them. These problems will be widespread and will affect sites other than those blacklisted by the American government. The US government has regularly claimed that it supports a free and open Internet, both domestically and abroad. We can't have a free and open Internet without a global domain name system that sits above the political concerns and objectives of any one government or industry. To date, the leading role the US has played in this infrastructure has been fairly uncontroversial because America is seen as a trustworthy arbiter and a neutral bastion of free expression. If the US suddenly begins to use its central position in the DNS for censorship that advances its political and economic agenda, the consequences will be far-reaching and destructive. Senators, we believe the Internet is too important and too valuable to be endangered in this way, and implore you to put this bill aside. -- Peter Eckersleyp...@eff.org Senior Staff Technologist Tel +1 415 436 9333 x131 Electronic Frontier FoundationFax +1 415 436 9993
OSPFv3 Authentication
Hi, I am doing a survey and was interested in knowing if network operators are using OSPFv3 with authentication [RFC 4552] turned on? I know that most providers turn on authentication with OSPFv2, but given that OSPFv3 needs IPsec integration and can thus get little cumbersome to configure, wanted to understand if a similar % of folks also turn on authentication for OSPFv3? You can unicast me your responses (if you dont wish to share it on the list) and i will collate all data and post a summary on the list. Cheers, Manav
Re: Online games stealing your bandwidth
Can someone name an ISP that encourages P2P traffic?? ;) Sent from a mobile phone with a small keyboard, please excuse my mistakes. On Sep 27, 2010, at 4:32 PM, Richard Barnes richard.bar...@gmail.com wrote: There's some standardization work being done in the IETF ALTO working group. They're looking at ways ISPs can inform P2P clints about which peers are better, I.e., topologically nearby. http://tools.ietf.org/wg/alto/ I'm less familiar with DECADE, but I believe they're working on more directly cache-related stuff. http://tools.ietf.org/wg/decade/ On Sep 25, 2010 4:44 PM, Matthew Walster matt...@walster.org wrote: On 25 September 2010 21:16, Rodrick Brown rodrick.br...@gmail.com wrote: I think most people are... snip I once read an article talking about making BitTorrent scalable by using anycasted caching services at the ISP's closest POP to the end user. Given sufficient traffic on a specified torrent, the caching device would build up the file, then distribute that direct to the subscriber in the form of an additional (preferred) peer. Similar to a CDN or Usenet, but where it was cached rather than deliberately pushed out from a locus. Was anything ever standardised in that field? I imagine with much of P2P traffic being (how shall I put this...) less than legal, it's of questionable legality and the ISPs would not want to be held liable for the content cached there? M
Re: Software-based Border Router
I have seen software based routers (FreeBSD+Quagga) in production at pennies on the dollar compared to Cisco for quite some years. Up front, as other people have noted, you need to know what you are doing. There is no 'crying for help 24x7'. By the same token, if you know what you are doing then they can be a very cost effective solutions. I have yet to see (or try out) MPLS and such, so if requirements need features like that, then probably open source may not be the solution. The above said, other comments inline below... On Sep 27, 2010, at 3:48 PM, Heath Jones wrote: Do jitter sensitive applications have problems at all running? What would you say is the point at which people should be looking for a hardware forwarding solution? Differences: - Hardware forwarding Yes, absolutely, no hardware forwarding. This must be compensated for by utilizing as advanced/expensive 'commodity PC hardware' as possible. You want lots of CPU horsepower, fast busses (PCI-E x16 if possible) and good NICs so the OS can offload as much as possible to the hardware and not be bandwidth constrained. Even then, no way are you going to get anything close to what you can from a 'real' router. A classic trade off between technical needs desires vs. financial constraints. - Interface options Make sure there are least two NIC platforms. i.e., a pair of onboard dual gigabit plus another dual gigabit card. Bond the interfaces between the separate NIC platforms so one each gigabit link is off say the onboard and one off the NIC card. Utilize LACP. - Port density Use VLANs - again, a quality NIC will help with this by offloading a good portion of the overhead to hardware. - Redundancy Use a /29 to your eBGP provider and turn up two routers side-by-side. Again, if you are looking for hard core 'carrier grade' stuff, you should not be asking about open source. Pair the two routers, for eBGP sessions, and use a separate interface for them to talk to each other. - Power consumption Always an issue, no way are you going to get pps from this kind of stuff like you would from Cisco. - Service Provider stuff - MPLS TE? VPLS? VRF?? Yup. Any others? If somebody is on an extremely tight budget, is technically capable of doing utilizing open source to do what they need, and their requirements are limited enough that an open source platform would work for them, I would suggest they check into it. Ultimately, as always, it is buyer beware. Often with dedicated routers a support contract can cost as much as the router itself after a year or two, but sometimes companies need that support contract because they don't have the in-house skills already, etc. I would never recommend either open source or dedicated hardware routers to anybody as a 'this is the only way to go' solution.
Re: Randy in Nevis
On Sep 27, 2010, at 9:30 AM, Lyndon Nerenberg wrote: On 10-09-27 7:20 AM, Robert E. Seastrom wrote: Cannot establish SSL with SMTP server 67.202.37.63:465 does not sound like a 587 problem to me. netalyzr folks? comment? Sorry, I hit send too soon ... I've heard from a couple of people that the PIX will remap 587 (and 25) to oddball ports if you fiddle the config just right. Given all the other bogosity that box does with SMTP I wonder if there's truth to the rumour. (I haven't found anyone who can reproduce this on demand, so it's still apocryphal for now.) 465 is not an odd-ball port, it's the standard well-known port for STMPS. Fortunately, few people actually use SMTPS, preferring instead to do their security via TLS using the STARTTLS model after connecting to 25/587. Owen