look for BGP routes containing local AS#
Hi everyone, Recently I studied the BGP AS path looping problem, and found that in most cases, the received BGP routes containing local AS# are suspicious. However, we checked our BGP routing table (AS23910,CERNET2) on juniper router(show route hidden terse aspath-regex .*23910.* ), and have not found such routes in Adj-RIB-In. We believe that the received BGP routes containing local AS# are related to BGP security problem. Hence, we want to look for some real cases in the wild. Could anybody give us some examples of such routes? Thanks! Best Regards! -- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.ls...@gmail.com
Re: Facebook outage?
- Original Message - From: Larry Sheldon larryshel...@cox.net On 1/27/2015 00:47, Damien Burke wrote: Facebook outage? Everyone panic! https://twitter.com/search?q=facebooksrc=typd Let the record show that I noticed it quite a while ago, but did NOT go for first NANOG mention. Proud of you, Larry. Let the record show that *I* haven't seen any outages all day, from Sprint LTE. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Facebook outage?
On Jan 27, 2015, at 10:15 , Larry Sheldon larryshel...@cox.net wrote: On 1/27/2015 09:02, Roy wrote: According to one joker, the crash was caused by too many pictures of the Northeast blizzard :-) Cat-picture server went down. Putting those two things together, I think it was because really, nobody wants to see a bunch of frozen pussy. Get your minds out of the gutter. Owen
Re: Facebook outage?
implement service routers for pop machines using cbac checking and acl for private address range spoofing. block china ranges since never respond to abuse reports. move on Colin On 27 Jan 2015, at 07:23, Ken Chase m...@sizone.org wrote: cable was replugged, insta/fb back up here. /kc On Tue, Jan 27, 2015 at 02:04:58AM -0500, Zachary said: Seems unlikely, probably taking credit for someone tripping over a cable. -- Ken Chase - m...@sizone.org Toronto
Re: Facebook outage?
It is working here in rural Oregon as well. Kudos to the Facebook team for such a quick recovery. On Tue, 2015-01-27 at 01:13 -0600, Larry Sheldon wrote: On 1/27/2015 00:58, Larry Sheldon wrote: On 1/27/2015 00:47, Damien Burke wrote: Facebook outage? Everyone panic! https://twitter.com/search?q=facebooksrc=typd Let the record show that I noticed it quite a while ago, but did NOT go for first NANOG mention. It is back up in Omaha.
Cisco IOS stable/production safe versions?
I have a Cisco IOS specific question for the group and also specifically related to the 6500 platform. We have always been very conservative with our IOS version that we run in production, we are still running a pretty old safe harbor build of 12.2.x on SUP 720 3BXLs with BGP and OSFP routing. Any advice from fellow network operators that are running the 6500 platform in the core still for versions that are considered safe for production? We are stable, but I am really wanting access to features such as Netflow v9, etc. Thanks for any advice! Sincerely, Nick Ellermann - CTO VP Cloud Services BroadAspect E: nellerm...@broadaspect.commailto:nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Network ops lists.
Ryan Finnesey r...@finnesey.com writes: At one point I stumbled across a site that listed all of the network ops lists for the corresponding regions but now I can't seem to find it would anyone happen to have a similar list? Are you referring to a list regional NOGs? Because there's other interesting content out there too, like dns-operations and voice-ops, v6-operations, etc. -Daniel
Re: ATT uVerse blocking SIP?
On 26 January 2015 at 13:26, Brad Bendy b...@1stclasshosting.com wrote: Has anyone seen issues where a end user on uVerse trying to connect to either another provider or ATT non uVerse (in this case DIA) is having SIP blocked? SIP leaving the uVerse network going to another uVerse DSL account is fine, but it appears soon as it leave the uVerse network all SIP traffic is blocked? I used to have ATT U-verse a couple of years back. Never had any issues with SIP. Although I've stopped using their modem prior to starting to use SIP, directly connecting my own router to their ONT, so, I cannot comment on whether their 2Wire PoS is the cause of the issues you experience (but it's indeed quite likely so). It's worth checking with your customer whether they can throw away their modem, too. The modem has two ports -- green-coloured PHONE LINE and red-coloured BROADBAND. If they get their connection through the green PHONE LINE port, it means it's DSL. If it's through the red BROADBAND port, it means no modem is required (other than every couple of months or years for some weird port authentication that they require), and can swap their att PoS with any other router. C.
Re: scaling linux-based router hardware recommendations
I get more than that with realtek nics on x86, problem is high interrupt rates even with msix, intel fixes some of those and chelsio makes it all go away... Just saying :) On 26/01/2015 23:27, Faisal Imtiaz wrote: Hi Micah, There is a segment in the Hardware Side of the industry that produces Network Appliances. (Folks such as Axiomtek, Lanner Electronics, Caswell Networks, Portwell etc etc) These appliances are commonly used as a commercial (OEM) platform for a variety of uses.. Routers, Firewalls, Specialized network applications etc. Our internal testing ( informal), matches up with the commonly quoted PPS handling by the different product vendors who incorporate these appliances in their network product offerings. i3/i5/i7 (x86) based network appliances will forward traffic as long as pps does not exceed 1.4million (In our testing we found the pps to be limiting factor and not the amount of traffic being moved) (will easily handle 6G to 10G of traffic Core2duo (x86) based network appliances will forward traffic as long as pps does not exceed 600, pps (will easily handle 1.5G to 2G of traffic) Atom based (x86) network appliances will forward traffic as long as pps does not exceed 250,000 pps. Of course, if you start to bog down the router with lots of NAT/ACL/ Bridge Rules (i.e. the CPU has to get involved in traffic management) then your actual performance will be degraded. Regards. Faisal Imtiaz Snappy Internet Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net - Original Message - From: micah anderson mi...@riseup.net To: nanog@nanog.org Sent: Monday, January 26, 2015 5:53:54 PM Subject: scaling linux-based router hardware recommendations Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah
Re: ATT uVerse blocking SIP?
I’ve never gotten ATT to respond to issues, including the fact the device eats the SIP packets, and some types of SIP packets can actually cause their device to reboot as well. It’s been a few years now since I really chased this down, but beware all of these ‘helpers’, including the Cisco SIP-ALG are broken. It’s more damage introduced by these CPE devices (like broken DNS proxies, etc). - Jared On Jan 27, 2015, at 9:47 AM, Brad Bendy b...@1stclasshosting.com wrote: They are saying this CPE has no ALG in it, but they can enable DMZ, which acourse made zero difference. What I do find funny is they escalated the problem to Tier-2 and wanted to enroll the customer in premium tech support for $15 a month, because the Internet signal is strong and is not causing the problem, sigh. Back to trying port 5061 it appears! On Mon, Jan 26, 2015 at 8:44 PM, Christopher Morrow morrowc.li...@gmail.com wrote: I think this is due to the CPE using a particular ALG ... (from recollection having never been a UVerse customer, but having sat through a long, long, long set of discussions about the merits/demerits of sip blocking) On Mon, Jan 26, 2015 at 10:22 PM, Jared Mauch ja...@puck.nether.net wrote: Yes. If you move to another port, e.g.: 5061 it works fine. If you’re running on a Linux based system, you can do this: /sbin/iptables -A PREROUTING -t nat -i eth1 -p udp --dport 5061 -j REDIRECT --to-port 5060 on the host to remap 5061 - 5060 with no application change. - Jared On Jan 26, 2015, at 4:26 PM, Brad Bendy b...@1stclasshosting.com wrote: Has anyone seen issues where a end user on uVerse trying to connect to either another provider or ATT non uVerse (in this case DIA) is having SIP blocked? SIP leaving the uVerse network going to another uVerse DSL account is fine, but it appears soon as it leave the uVerse network all SIP traffic is blocked? It appears others have seen this problem, some say it's a modem issue, some say they are truly blocking it. Ive yet to call uVerse support yet as im guessing ill get no where. Thanks for any insight on this. -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. 1st Class Hosting, LLC. 1712 Pioneer Ave, Suite 1854, Cheyenne, WY 82001 This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. 1st Class Hosting, LLC. 1712 Pioneer Ave, Suite 1854, Cheyenne, WY 82001
Re: Facebook outage?
According to one joker, the crash was caused by too many pictures of the Northeast blizzard :-)
Re: ATT uVerse blocking SIP?
They are saying this CPE has no ALG in it, but they can enable DMZ, which acourse made zero difference. What I do find funny is they escalated the problem to Tier-2 and wanted to enroll the customer in premium tech support for $15 a month, because the Internet signal is strong and is not causing the problem, sigh. Back to trying port 5061 it appears! On Mon, Jan 26, 2015 at 8:44 PM, Christopher Morrow morrowc.li...@gmail.com wrote: I think this is due to the CPE using a particular ALG ... (from recollection having never been a UVerse customer, but having sat through a long, long, long set of discussions about the merits/demerits of sip blocking) On Mon, Jan 26, 2015 at 10:22 PM, Jared Mauch ja...@puck.nether.net wrote: Yes. If you move to another port, e.g.: 5061 it works fine. If you’re running on a Linux based system, you can do this: /sbin/iptables -A PREROUTING -t nat -i eth1 -p udp --dport 5061 -j REDIRECT --to-port 5060 on the host to remap 5061 - 5060 with no application change. - Jared On Jan 26, 2015, at 4:26 PM, Brad Bendy b...@1stclasshosting.com wrote: Has anyone seen issues where a end user on uVerse trying to connect to either another provider or ATT non uVerse (in this case DIA) is having SIP blocked? SIP leaving the uVerse network going to another uVerse DSL account is fine, but it appears soon as it leave the uVerse network all SIP traffic is blocked? It appears others have seen this problem, some say it's a modem issue, some say they are truly blocking it. Ive yet to call uVerse support yet as im guessing ill get no where. Thanks for any insight on this. -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. 1st Class Hosting, LLC. 1712 Pioneer Ave, Suite 1854, Cheyenne, WY 82001 -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. 1st Class Hosting, LLC. 1712 Pioneer Ave, Suite 1854, Cheyenne, WY 82001
Re: scaling linux-based router hardware recommendations
Easy to make a switch when the only thing you're actually doing is teling the asic what to do (Cumulus, Ubiquiti, ... every other broadcom vendor out there...) Better yet - Atheros have finally come out with a 24*1GE + 2*10GE switch asic - only a matter of time before they challenge broadcom et al. On 27/01/2015 01:43, Mike Hammett wrote: Aren't most of the new whitebox\open source platforms based on switching and not routing? I'd assume that the cloud-scale data centers deploying this stuff still have more traditional big iron at their cores. The small\medium sized ISP usually is left behind. They're not big enough to afford the big new hardware, but all of their user's NetFlix and porn and whatever else they do is chewing up bandwidth. For example, the small\medium ISPs are at the Nx10GigE stage now. The new hardware is expensive, the old hardware (besides being old) is likely in a huge chassis if you can get any sort of port density at all. 48 port GigE switches with a couple 10GigE can be had for $100. A minimum of 24 port 10GigE switches (except for the occasional IBM switch ) is 30x to 40x times that. Routers (BGP, MPLS, etc.) with that more than just a couple 10GigEs are even more money, I'd assume. I thought vMX was going to save the day, but it's pricing for 10 gigs of traffic (licensed by throughput and standard\advanced licenses) is really about 5x - 10x what I'd be willing to pay for it. Haven't gotten a quote from AlcaLu yet. Vyatta (last I checked, which was admittedly some time ago) doesn't have MPLS. The FreeBSD world can bring zero software cost and a stable platform, but no MPLS. Mikrotik brings most (though not all) of the features one would want... a good enough feature set, let's say... but is a non-stop flow of bugs. I don't think a week or two goes by where one of my friends doesn't submit some sort of reproducible bug to Mikrotik. They've also been looking into DPDK for 2.5 years now. hasn't shown up yet. I've used MT for 10 years and I'm always left wanting just a little more, but it may be the best balance between the features and performance I want and the ability to pay for it. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Mehmet Akcin meh...@akcin.net To: micah anderson mi...@riseup.net Cc: nanog@nanog.org Sent: Monday, January 26, 2015 6:06:53 PM Subject: Re: scaling linux-based router hardware recommendations Cumulus Networks has some stuff, http://www.bigswitch.com/sites/default/files/presentations/onug-baremetal-2014-final.pdf Pretty decent presentation with more details you like. Mehmet On Jan 26, 2015, at 8:53 PM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah
Re: scaling linux-based router hardware recommendations
On Mon, Jan 26, 2015 at 8:53 PM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah Hello! This is a very interesting yet obscure and not widely discussed subject. And industry generally does not like the discussion to come up in public lists like this one. If you happen to reach line rate PPS throughput on x86, for filtering or forwarding, how will they keep that high profit rate on their products and keep investors happy? With that said, I am a very happy user for two hardware vendors not widely known, and a technology very well known but still barely discussed. I run FreeBSD, the so called silent workhorse as a BGP router and also FreeBSD (or pfSense) as a border firewall. For hardware vendors, I am a very happy customer of: - iXSystems (www.ixsystems.com) - ServerU Inc. (www.serveru.us) They are both BSD/Linux driven hardware specialists, and they are both very good consultants and technology engineers. I run a number of BGP and firewall boxes on GA, NY, FL and some other locations on east coast, as well as Belize, BVI and Bahamas and LATAM. pfSense is my number one system of choice, but sometimes I run FreeBSD vanilla, specially in my core locations. In one central location I have the following setup: - 1x ServerU Netmap L800 box in Bridge Mode for Core Firewall protection - 2x ServerU Netmap L800 boxes as BGP router (redundant) - Several Netmap L800, L100 and iXSystems servers (iXS for everything else since ServerU are only networking-centric, not high storage high processing Xeon servers) In this setup I am running yet another not well known but very promising technology, called Netmap. A Netmap firewall (called netmap-ipfw) was supplied from ServerU vendor, it's a slightly modified version from what you can download from Luigi Rizzo's (netmap author) public repository with multithread capabilities based on the number of queues available in the ServerU igb(4) networking card. What it does is, IMHO, amazing for a x86 hardware: line rate firewall on 1GbE port (1.3-1.4Mpps) and line rate firewall for 10GbE port (12-14Mpps) in a system with 8 @2.4Ghz Intel Rangeley CPU. It's not Linux DNA. It's not PF_RING. It's not Intel DPDK. It's netmap, it's there, available, on FreeBSD base system with a number of utilities and code for reference on Rizzos' repositories. It's there, it's available and it's amazing. This firewall has saved my sleep several times since November, dropping up to 9Mpps amplified UDP/NTP traffic on peak DDoS attack rates. For the BGP box, I needed trunking, Q-in-Q and vlan. And sadly right now this is not available in a netmap implementation. It means I had to keep my BGP router in the kernel path. It's funny to say this, but Netmap usually skips kernel path completely and does its job direct on the NIC, reaching backplane and bus limits directly. ServerU people recommended me to use Chelsio Terminator 5 40G ports. OK I only needed 10G but they convinced me not to look at the bits per second numbers but the packets per seconds number. Honestly, I don't know how Chelsio T5 did it, even though ServerU 1GbE ports perform very good on interruption CPU usage (probably this is an Intel igb(4) / ix(4) credit) but everything I route from one 40GbE port to the other port on the same L-800 expansion card, I have very, very, very LOW interrupt rates. Sometimes I have no interrupt at all!! I peaked routing 6Mpps on ServerU L-800 and still had CPU there, available. I am not sure where proper credits is due to ServerU hardware, to FreeBSD OS, to Netmap or to Chelsio. But I am sure on what it matters for my VP or my CFO: $$$ While a T5 card will cost around USD 1,000 and a ServerU L-800 router will cost another USD 1,200, I have a 2,2k USD overall cost of ownership for a box that will give me PPS rates that otherwise would cost from 9,000 USD to 12,000 USD on an industry product. I have followed a good discussion on a Linkedin Group
Re: Facebook outage?
On 1/27/2015 09:02, Roy wrote: According to one joker, the crash was caused by too many pictures of the Northeast blizzard :-) Cat-picture server went down. -- The unique Characteristics of System Administrators: The fact that they are infallible; and, The fact that they learn from their mistakes. Quis custodiet ipsos custodes
Re: scaling linux-based router hardware recommendations
Hello! You could try to build simple router with DPDK yourself. It's very straightforward and have good examples for simple routing. I have done some tests with PF_RING ZC (it's very similar technology to DPDK without specialization on building of network devices) while test my DDoS monitoring solution and it work perfectly. I can achieve 8 million of packets per second (10GE with 120byte packets) on very slow Intel Xeon E5 2420. You could look at this tests from PF_RING developers: http://www.ntop.org/pf_ring/pf_ring-dna-rfc-2544-benchmark/ But building router on top of PF_RING or DPDK is very challenging task because everyone want very different things (BGP, OSPF, RIP... etc.). On Tue, Jan 27, 2015 at 1:54 PM, Paul S. cont...@winterei.se wrote: Anyone aware of any dpdk enabled solutions in the software routing space that doesn't cost an arm and a leg? vMX certainly does. On 1/27/2015 午後 04:33, Pavel Odintsov wrote: Hello! Looks like somebody want to build Linux soft router!) Nice idea for routing 10-30 GBps. I route about 5+ Gbps in Xeon E5-2620v2 with 4 10GE cards Intel 82599 and Debian Wheezy 3.2 (but it's really terrible kernel, everyone should use modern kernels since 3.16 because buggy linux route cache). My current processor load on server is about: 15%, thus I can route about 15 GE on my Linux server. Surely, you should deploy backup server too if master server fails. On Tue, Jan 27, 2015 at 1:53 AM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah -- Sincerely yours, Pavel Odintsov
Re: scaling linux-based router hardware recommendations
Anyone aware of any dpdk enabled solutions in the software routing space that doesn't cost an arm and a leg? vMX certainly does. On 1/27/2015 午後 04:33, Pavel Odintsov wrote: Hello! Looks like somebody want to build Linux soft router!) Nice idea for routing 10-30 GBps. I route about 5+ Gbps in Xeon E5-2620v2 with 4 10GE cards Intel 82599 and Debian Wheezy 3.2 (but it's really terrible kernel, everyone should use modern kernels since 3.16 because buggy linux route cache). My current processor load on server is about: 15%, thus I can route about 15 GE on my Linux server. Surely, you should deploy backup server too if master server fails. On Tue, Jan 27, 2015 at 1:53 AM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah
Re: scaling linux-based router hardware recommendations
I propose the hybrid solution: A device such as the ZTE 5960e with 24x 10G and 2x 40G will set you about USD 6000 back. This thing can do MPLS and L3 equal cost multiple path routing. With that you can load balance across as many software routers as you need. It also speaks BGP and can accept about 10k routes. So maybe you could consider if the full table is really worth it. It would be possible to have your software router speak BGP with the neighbors and use next hop to direct the traffic directly to the switch. Or use proxy arp if the peer does not want to allow you to specify a different next hop than the BGP speaker. This way your software router is only moving outgoing packets. Inbound packets will never go through the computer, but will instead be delivered directly to the correct destination by hardware switching. If you are an ISP, you will often have more inbound traffic so this very useful. Also the weak point of the software router is denial of service attacks with small packets. The attacks are likely from outside your network so your software router will not need to route it. We need someone to code a BGP daemon, that will export the 5k most used routes to the switch. This way you can have the switch deliver the majority of the traffic directly to your peers. If you are a service provider, much of your traffic is outbound. Put your servers or multiple routers/firewalls on the same vlan as your transit. Then add static host routes for next hop on all servers. This way you can have as many servers as you need to deliver traffic directly. You can run iBGP on all the servers, so every server knows how to route outbound by itself. MPLS would also be useful for this instead of vlan, but there is no good MPLS implementation for Linux. Regards, Baldur
Re: scaling linux-based router hardware recommendations
There is also some work in progress to improve network performance in the Linux kernel: https://lwn.net/Articles/629155/ Preliminary, but encouraging that work is under way. -- Hugo On Tue 2015-Jan-27 11:33:16 +0400, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! Looks like somebody want to build Linux soft router!) Nice idea for routing 10-30 GBps. I route about 5+ Gbps in Xeon E5-2620v2 with 4 10GE cards Intel 82599 and Debian Wheezy 3.2 (but it's really terrible kernel, everyone should use modern kernels since 3.16 because buggy linux route cache). My current processor load on server is about: 15%, thus I can route about 15 GE on my Linux server. Surely, you should deploy backup server too if master server fails. On Tue, Jan 27, 2015 at 1:53 AM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah -- Sincerely yours, Pavel Odintsov -- Hugo signature.asc Description: Digital signature
Re: scaling linux-based router hardware recommendations
Can be Freebsd-based? http://info.iet.unipi.it/~luigi/netmap/ 2015-01-27 14:22 GMT-02:00 Hugo Slabbert h...@slabnet.com: There is also some work in progress to improve network performance in the Linux kernel: https://lwn.net/Articles/629155/ Preliminary, but encouraging that work is under way. -- Hugo On Tue 2015-Jan-27 11:33:16 +0400, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello! Looks like somebody want to build Linux soft router!) Nice idea for routing 10-30 GBps. I route about 5+ Gbps in Xeon E5-2620v2 with 4 10GE cards Intel 82599 and Debian Wheezy 3.2 (but it's really terrible kernel, everyone should use modern kernels since 3.16 because buggy linux route cache). My current processor load on server is about: 15%, thus I can route about 15 GE on my Linux server. Surely, you should deploy backup server too if master server fails. On Tue, Jan 27, 2015 at 1:53 AM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah -- Sincerely yours, Pavel Odintsov -- Hugo -- Eduardo Schoedler
Re: scaling linux-based router hardware recommendations
On 1/26/15 11:33 PM, Pavel Odintsov wrote: Hello! Looks like somebody want to build Linux soft router!) Nice idea for routing 10-30 GBps. I route about 5+ Gbps in Xeon E5-2620v2 with 4 10GE cards Intel 82599 and Debian Wheezy 3.2 (but it's really terrible kernel, everyone should use modern kernels since 3.16 because buggy linux route cache). My current processor load on server is about: 15%, thus I can route about 15 GE on my Linux server. I looked into the promise and limits of this approach pretty intensively a few years back before abandoning the effort abruptly due to other constraints. Underscoring what others have said: it's all about pps, not aggregate throughput. Modern NICs can inject packets at line rate into the kernel, and distribute them across per-processor queues, etc. Payloads end up getting DMA-ed from NIC to RAM to NIC. There's really no reason you shouldn't be able to push 80 Gb/s of traffic, or more, through these boxes. As for routing protocol performance (BGP convergence time, ability to handle multiple full tables, etc.): that's just CPU and RAM. The part that's hard (as in can't be fixed without rethinking this approach) is the per-packet routing overhead: the cost of reading the packet header, looking up the destination in the routing table, decrementing the TTL, and enqueueing the packet on the correct outbound interface. At the time, I was able to convince myself that being able to do this in 4 us, average, in the Linux kernel, was within reach. That's not really very much time: you start asking things like will the entire routing table fit into the L2 cache? 4 us to think about each packet comes out to 250Kpps per processor; with 24 processors, it's 6Mpps (assuming zero concurrency/locking overhead, which might be a little bit of an ... assumption). With 1500-byte packets, 6Mpps is 72 Gb/s of throughput -- not too shabby. But with 40-byte packets, it's less than 2 Gb/s. Which means that your Xeon ES-2620v2 will not cope well with a DDoS of 40-byte packets. That's not necessarily a reason not to use this approach, depending on your situation; but it's something to be aware of. I ended up convincing myself that OpenFlow was the right general idea: marry fast, dumb, and cheap switching hardware with fast, smart, and cheap generic CPU for the complicated stuff. My expertise, such as it ever was, is a bit stale at this point, and my figures might be a little off. But I think the general principle applies: think about the minimum number of x86 instructions, and the minimum number of main memory accesses, to inspect a packet header, do a routing table lookup, and enqueue the packet on an outbound interface. I can't see that ever getting reduced to the point where a generic server can handle 40-byte packets at line rate (for that matter, line rate is increasing a lot faster than speed of generic server these days). Jim
Re: ATT uVerse blocking SIP?
On Mon, Jan 26, 2015, at 10:22 PM, Jared Mauch wrote: Yes. If you move to another port, e.g.: 5061 it works fine. If you’re running on a Linux based system, you can do this: /sbin/iptables -A PREROUTING -t nat -i eth1 -p udp --dport 5061 -j REDIRECT --to-port 5060 on the host to remap 5061 - 5060 with no application change. - Jared In most cases the above has worked fine (we also use a 15060 - 5060 remap), but I have one user for whom nothing seems to work. The problem has persisted with different models of CPE, different phones, different server-side ports (5060, 5061, 15060). They even moved and the problem followed them to a new house (albeit in the same area). I was never able to work out the issue and have been assuming it's a regional problem in Uverse (in this case it was near Austin, TX). IIRC, the user ended up switching to cable. Dan
Re: Network ops lists.
Not my list, but here's one. http://www.bugest.net/nogs.html I'm sure there's more though. BDNOG, BTNOG, HKNOG ... -Seiichi (2015/01/28 6:20), Ryan Finnesey wrote: At one point I stumbled across a site that listed all of the network ops lists for the corresponding regions but now I can't seem to find it would anyone happen to have a similar list? Sent from my iPad