On Fri, Oct 1, 2021 at 9:08 AM Laura Smith via NANOG <nanog@nanog.org> wrote:

> The bad news now, is, there are plenty of many, small, local
> and regional ISP's who are willing to do whatever it takes to
> work with the content providers. All that's required is some
> network, a half-decent data centre and an exchange point. Gone
> are the days where customers clamored to sign up with Big
> Telco.

Speaking as one of those smaller ISPs willing to do whatever it takes, perhaps you could answer me this riddle.....

- PoP in one of your "half-decent data centres" ... tick.
- Connnection to one of your "exchange point" ... tick.
- $certain_large_cdn present on said "exchange point" ... tick.

And yet .....

- $certain_large_cdn publishes routes on route server ? Nope.
- $certain_large_cdn willing to establish direct peering session ? Nope.

I am well aware of the "big boys club" that operates at most exchanges where the large networks see it beneath them to peer with (or publish routes for the benefit of) the unwashed masses.

But I struggle to comprehend why $certain_large_cdn would effectively cut off their nose to spite their face ?


Having worked on building out a global content delivery network, 
I can hopefully shed some light here.

Let's imagine a scenario where you have a CDN node attached to 
a large peering location.

At that peering location, you have Nx100G direct peering links to 
large eyeball networks, and Nx10G direct peering links to midsized 
eyeball networks.  

You have a historical connection into the peering switch as well, 
which you've kept around and upgraded as time went by.  Life 
is generally good.  You've got your own backbone between 
your locations, and you capacity engineer your infrastructure 
so that if your peering sessions go down at that site, users 
are redirected to the next closest CDN node.  

Then one day, Bad Juju(tm) happens.  The router that your 
Nx100G links with Large Eyeball Network A terminate on 
goes down, doesn't matter if it's on their end or your end, 
those direct sessions go down.  But instead of your traffic 
failing over to site B instead, it continues flowing--but now 
it's going through the route server sessions, across the 
now grossly-undersized connection into the public peering 
switch, and *nobody* is happy about that.  You tried putting 
import and export lists into the route server, but they don't 
seem to be taking effect, and the phone is ringing off the 
hook, so you simply stop exporting routes into the route 
server, and suddenly traffic is now failing over to site B 
for all the eyeball requests from Large Eyeball Network A, 
and you get to explain to your boss how those sessions 
with the route servers caused the failover plan to fail badly. 

Decision is made that route server peering sessions are 
too far removed from direct control to be safe, and the 
only way to effectively prevent this scenario from happening 
again is to stop announcing routes to the route servers.

You're a smaller network; you're caught up in this, because you'd 
been getting routes from the route server, and now you're not.  
You request direct peering; unfortunately, the ports on the existing 
line cards on the CDN edge routers are full, and it's going to be 
months before the next capacity upgrade is planned; and those 
line cards are all 100G cards, with no 10G ports planned.  It's 
decided that letting that traffic get handled by the transit ports is 
cheaper than trying to get some additional 10G peering port capacity 
at the site.  And so, your request for direct peering is denied; there's 
just no place to plug you in on the router on the other side, unless 
you can drum up enough traffic to justify a 100G peering link. 

Establishing direct peering across the peering fabric becomes 
the only possible point of commonality, then; but that requires 
adding explicit neighbor configuration into the router, unlike 
the route-server mediated prefix exchange; and now you're 
still running into limitations on the edge routers--though in this 
case it's not physical port limitations, it's neighbor adjacency 
limits on the routers.  The more neighbors you configure on an 
edge router, the longer the configs are, and depending on how 
the neighbors are established, the more processing power and 
memory it takes on the router.  At a certain point, there's just not 
enough to go around, and the CDN makes the decision to not add 
any new BGP neighbors at that site.  A few years down the line, 
when hardware is added/upgraded, they may revisit that decision, 
or it may persist, even after the upgrade, due simply to corporate 
inertia--nobody goes back to revisit the decision, and see if it still 
makes sense or not.

Sometimes it's just a case of limited humans; without good automation 
tools in place, adding BGP adjacencies takes a ticket being created 
in a request system, and then another more highly skilled human 
going into the router to configure the neighbor.  If you've got a limited 
number of skilled humans available (and every company has fewer 
of those than they really need, but that's always going to be the case), 
the decision generally gets made to focus their attention on efforts 
that bring in more revenue--and configuring public peering sessions 
generally doesn't fall into that bucket.  :(

And sometimes, financial considerations come into play; the CDN 
network has a default upstream transit provider to catch the traffic 
that isn't handled by direct peering, and the transit provider gives 
a really nice price break if the traffic makes it up into the next tier; 
so, CDN that's just *below* the cheaper tier looks for traffic it can 
shunt onto transit, to nudge the volume over the line, to qualify for 
the lower per-mbit price point--and the easiest traffic to use to nudge 
them over is the smaller public peering neighbor traffic.  And so, your 
request for direct peering is looked at, and your traffic volume is 
deemed to be the perfect fit to help fill out the transit commitment 
needed to bump them into the cheaper tier.

In a perfect world, these would all be solvable issues, and exchanging 
traffic directly with the CDN across the public switches would make 
sense for everybody involved.

Unfortunately, we live in an imperfect world, with route server filters 
that don't react quickly and with the level of precision needed, we 
have limitations on how many BGP adjacencies routers can handle, 
we have limited port counts on line cards, we have limited numbers 
of humans to make changes to router configurations, and we have 
economic pressures to meet volume thresholds to get better pricing 
that all end up creating the scenario you find yourself in; a completely 
reasonable request for direct peering nonetheless is ignored, or 
denied, due to one or more of the reasons I've discussed. 

Thanks!

Matt