On Tue, Nov 8, 2011 at 1:14 PM, <bmanning@vacation.karoshi.com> wrote:
that was/is kindof orthoginal to the question... would the sidr plan for routing security have been a help in this event? nice to know unsecured IPv6 took some of the load when the unsecured IPv4 path failed.
if all routing goes boom, would secure routing have saved you? no... all routing went boom.
the answer seems to be NO, it would not have helped and would have actually contributed to network instability with large numbers of validation requests sent to the sidr/ca nodes.
I think actually it wouldn't have caused more validation requests, the routers have (in some form of the plan) a cache from their local cache, they use this for origin validation... there's not a requirement to refresh up the entire chain. (I think). -chris
/bill
On Tue, Nov 08, 2011 at 10:01:04AM -0800, Mike Leber wrote:
We saw an increase in IPv6 traffic which correlated time wise with the onset of this IPv4 incident.
Happy eyeballs in action, automatically shifting what it could.
Mike.
On 11/8/11 2:56 AM, bmanning@vacation.karoshi.com wrote:
how would a sidr-enabled routing infrastructure have fared in yesterdays routing circus?
/bill
In a message written on Tue, Nov 08, 2011 at 04:22:48PM -0500, Christopher Morrow wrote:
I think actually it wouldn't have caused more validation requests, the routers have (in some form of the plan) a cache from their local cache, they use this for origin validation... there's not a requirement to refresh up the entire chain. (I think).
I kinda think everyone is wrong here, but Chris is closer to accurate. :P When a router goes boom, the rest of the routers recalculate around it. Generally speaking all of the routers will have already had a route with the same origin, and thus have hopefully cached a lookup of the origin. However, that lookup might have been done days/weeks/months ago, in a stable network. While I'm not familar with the nitty gritty details here, caches expire for various reasons. The mere act of the route changing paths, if it moved to a device with a stale cache, would trigger a new lookup, right? Basically I would expect any routing change to generate a set of new lookups proportial to the cache expiration rules. What am I missing? -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On 8 Nov 2011, at 21:37, "Leo Bicknell" <bicknell@ufp.org> wrote:
In a message written on Tue, Nov 08, 2011 at 04:22:48PM -0500, Christopher Morrow wrote:
I think actually it wouldn't have caused more validation requests, the routers have (in some form of the plan) a cache from their local cache, they use this for origin validation... there's not a requirement to refresh up the entire chain. (I think).
I kinda think everyone is wrong here, but Chris is closer to accurate. :P
When a router goes boom, the rest of the routers recalculate around it. Generally speaking all of the routers will have already had a route with the same origin, and thus have hopefully cached a lookup of the origin. However, that lookup might have been done days/weeks/months ago, in a stable network.
While I'm not familar with the nitty gritty details here, caches expire for various reasons. The mere act of the route changing paths, if it moved to a device with a stale cache, would trigger a new lookup, right?
Basically I would expect any routing change to generate a set of new lookups proportial to the cache expiration rules.
Which may very well fail because all the routing is hosed. I'm not all that familiar with the potential implementation issues, but I would think that network-local caches would be in order. Even with local caches, I would expect a high incidence of change to trigger something sensible to mitigate this kind of craziness from happening. I am sure enough people have had incorrectly scaled RADIUS farms blow up when a load of DSLAMS vanish and come back again not to repeat such storms. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On Nov 9, 2011, at 4:22 AM, Christopher Morrow wrote:
the routers have (in some form of the plan) a cache
A cache that's persistent across reboots? ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
On Tue, Nov 8, 2011 at 5:26 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Nov 9, 2011, at 4:22 AM, Christopher Morrow wrote:
the routers have (in some form of the plan) a cache
A cache that's persistent across reboots?
not across reboots, but in this case routers didn't necessarily reboot (parts of them did though). in the case of a reboot, sure, pull from your local cache, no 'walk up the chian' is required here.
participants (4)
-
Christopher Morrow
-
Dobbins, Roland
-
Leigh Porter
-
Leo Bicknell