RE: MD5 BGP performance on a VXR?
Ben, My first question would be how big is your prefix list per BGP session? What is really going to task this router with 25 sessions is the BGP Scanner and BGP Router processes. To my knowledge MD5 is just for authenticating the session. I could be wrong. Tony Newell Technical Lead RTSG-BB IP Networking -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ben Buxton Sent: Friday, June 11, 2004 5:49 AM To: nanog@merit.edu Subject: MD5 BGP performance on a VXR? Has anyone done any concrete testing on how well a 7206VXR with an NPE-300 can handle BGP MD5? The box in question has about 25 sessions and is pushing 150Mbps, with a 75% cpu load. I'm curious to know if it's the MD5 taking all the CPU. Thanks, Ben ***** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. 113
On Jun 11, 2004, at 8:21 AM, Newell, Tony wrote:
My first question would be how big is your prefix list per BGP session? What is really going to task this router with 25 sessions is the BGP Scanner and BGP Router processes. To my knowledge MD5 is just for authenticating the session. I could be wrong.
Every TCP packet in the BGP session (including HELLOs) will have to go through the MD5 process. This happens even if things like the sequence number is wrong (at least on some versions of IOS). -- TTFN, patrick
* Patrick W.Gilmore <patrick@ianai.net> [2004-06-11 20:54]:
My first question would be how big is your prefix list per BGP session? What is really going to task this router with 25 sessions is the BGP Scanner and BGP Router processes. To my knowledge MD5 is just for authenticating the session. I could be wrong. Every TCP packet in the BGP session (including HELLOs) will have to go
On Jun 11, 2004, at 8:21 AM, Newell, Tony wrote: through the MD5 process.
there is no HELLO in bgp. and it is not really related to bgp either, it is just the common case that they're used together. with tcp md5sig, each and every packet gets a md5 signature - build from the packet header and a shared secret - added, and the receiving side - which, of course, has to have the secret for that - does the same again. if the signature in the packet and the signature the receiver calculated don't match, the packet is discarded (well, should. FreeBSD's implementation does sign outgoing packets and simply ignores signatures on incoming packets, very useful. ok, I don't know wether this has been fixed, but thanks for the laugh).
This happens even if things like the sequence number is wrong (at least on some versions of IOS).
I consider this Yet Another IOS Bug. -- Henning Brauer, BS Web Services, http://bsws.de hb@bsws.de - henning@openbsd.org Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
participants (3)
-
Henning Brauer -
Newell, Tony -
Patrick W.Gilmore