RE: AT&T network recovery preparations
-----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Friday, September 21, 2001 6:57 PM To: nanog@merit.edu Subject: AT&T network recovery preparations
As far as I know, AT&T is the only carrier which maintained the ability to rebuild an entire central office from a "smoking hole in the ground." Last year the program budget was in danger of being cut, and the program eliminated because it had never been needed. It was an expense, which couldn't be justified. I spoke with one of the managers last year, and he said "It would only take one catastrophe to pay for my entire budget." I don't believe he was thinking of this.
Along those lines: I don't know if all of the colos are reacting this way, but at AT&T's datacenter @ 811 10th Avenue in Manhattan, the security there has gone into crisis mode. The steel doors are down to the main entrance - everyone must enter through a side door, where your bags are thoroughly searched and IDs checked to the Nth degree. Something that's always been interesting about that facility as well are the "Duress lights" at many of the corner junctions near security outposts. There's a sign right next to these lights that reads "If the adjacent light is lit, a security condition may exist around this corner. Entering may constitute a serious risk to your person", or something like that. Nice to know that they take security seriously. Matt -- Matthew J. Zito Systems Engineer Register.com, Inc., 11th Floor, 575 8th Avenue, New York, NY 10018 Ph: 212-798-9205 PGP Key Fingerprint: 4E AC E1 0B BE DD 7D BC D2 06 B2 B0 BF 55 68 99
On Fri, 21 Sep 2001, Matt Zito wrote:
I don't know if all of the colos are reacting this way, but at AT&T's datacenter @ 811 10th Avenue in Manhattan, the security there has gone into crisis mode. The steel doors are down to the main entrance - everyone must enter through a side door, where your bags are thoroughly searched and IDs checked to the Nth degree.
Some providers put out press releases, others haven't. But I believe colo providers which normally have a lot of security and those which normally don't, took extra care with their security last week. But it does bring up another issue. As far as I know, Exodus is the only colocation designated a "national infrastructure asset. http://www.thestreet.com/tech/internet/1090327.html I have no idea what that means in practical terms. But I did want to raise the question. As an industry, we aren't vertically integrated. Instead its an inter-linked set of dependencies. Its not like the old days when the government could just call up Ma Bell, and find out what is happening. Carriers are tenents in facilities operated by others. All the colo operators work very hard to maintain service, and have contigency plans for foreseeable disasters. But when the unforseen does happen, should we have pre-planed responses with federal authorities? Do we need to include ISPs and the Internet in existing civil defense plans? And finally, should additional facilities be designated as national infrastructure assets?
But it does bring up another issue. As far as I know, Exodus is the only colocation designated a "national infrastructure asset. http://www.thestreet.com/tech/internet/1090327.html
I have no idea what that means in practical terms. But I did want to raise the question. As an industry, we aren't vertically integrated. Instead its an inter-linked set of dependencies. Its not like the old days when the government could just call up Ma Bell, and find out what is happening.
It is my understanding that the US Government has "national infrastructure" inside Exodus facilities. As for what that means precisely, it's anyone's guess. Security at the Exodus facility in Atlanta has always been pretty good, but I wouldn't call it stellar. I know that the USG at one point had significant infrastructure inside the Atlanta facility. I recall seeing some serious looking cages around routers and Sun gear, but I couldn't say for sure; it was a long time ago. Tim
USG has assets inside a number of co-lo providers. One of the companies I work with happens to provide some under sub-contract to DOE. No details available as to where it is however. :-} iii Timothy Brown wrote:
But it does bring up another issue. As far as I know, Exodus is the only colocation designated a "national infrastructure asset. http://www.thestreet.com/tech/internet/1090327.html
I have no idea what that means in practical terms. But I did want to raise the question. As an industry, we aren't vertically integrated. Instead its an inter-linked set of dependencies. Its not like the old days when the government could just call up Ma Bell, and find out what is happening.
It is my understanding that the US Government has "national infrastructure" inside Exodus facilities. As for what that means precisely, it's anyone's guess. Security at the Exodus facility in Atlanta has always been pretty good, but I wouldn't call it stellar.
I know that the USG at one point had significant infrastructure inside the Atlanta facility. I recall seeing some serious looking cages around routers and Sun gear, but I couldn't say for sure; it was a long time ago.
Tim
On Sun, 23 Sep 2001, Bob Bownes wrote:
USG has assets inside a number of co-lo providers. One of the companies I work with happens to provide some under sub-contract to DOE. No details available as to where it is however. :-}
Various departments and agencies of the US, state and local government have assets in lots and lots of co-lo providers. I had several circuits designated for "continuity of government." However, no other provider has been designated by the White House as a "National Infrastructure Asset." Sprint and Worldcom provide FTS2001, but they haven't been designated "national infrastructure asset" by the White House. Other than an Exodus press release, I can't find any record of the phrase in the Code of Federal Regulations, the Federal Register, or any official White House public record in the govdocs database. I don't know if being designated a "national infrastructure asset" is the same as the 50th wedding anniversary greeting the White House sent my grandparents (which looks very impressive framed on the mantel), or if it actually has some practical effect. But my question wasn't really a debate over the phrase "national infrastructure asset," but whether there are any other assets the Internet community believes should be included in pre-planned responses.
--On Sunday, 23 September, 2001 6:04 PM -0400 Sean Donelan <sean@donelan.com> wrote:
are any other assets the Internet community believes should be included in pre-planned responses
I think the effect on the Internet & Telecoms infrastructure (as opposed more important things such as human life) would have been far greater had the 2 NY planes hit 60 Hudson and 111 8th Avenue. These buildings are significant PoF in NY, and NY itself is pretty much an SPoF as far as transatlantic communication is concerned. A preplanned response would be useful here. Not having the PoF's would be more useful. -- Alex Bligh Personal Capacity
On Mon, 24 Sep 2001 00:00:30 +0100 Alex Bligh <alex@alex.org.uk> wrote: AB> 111 8th Avenue. These buildings are significant PoF in NY, and AB> NY itself is pretty much an SPoF as far as transatlantic communication AB> is concerned. Well.. I would declare the SPoF rather in the whole area. Fibre trails are coming in from the seaside mostly near Mineola. AB> A preplanned response would be useful here. Not having AB> the PoF's would be more useful. The question has to be answered by the Fibre Owners. They can solve the issue. If they do is another question --jan -- Jan-Ahrent Czmok http://www.czmok.de/ mailto:jan.czmok@epost.de Tel. +49-(0)-6127-997448 Cell. +49-(0)-174-3074404 "Beware of routing loops.. You may fall into them"
On Mon, Sep 24, 2001 at 01:56:46AM +0200, Jan-Ahrent Czmok typed:
Well.. I would declare the SPoF rather in the whole area. Fibre trails are coming in from the seaside mostly near Mineola.
Last I checked, Mineola was right in the middle of the Island :) Most fiber comes via Shirley in the Town of Brookhaven.
On Sun, 23 Sep 2001 19:55:35 -0400 Jeffrey Meltzer <meltzer@villageworld.com> wrote: JM> Last I checked, Mineola was right in the middle of the Island :) JM> Most fiber comes via Shirley in the Town of Brookhaven. I only visited NY once yet (would one it more often - nice city) when visiting Lightning Internet Services. But i guess, You're right... --jan -- Jan-Ahrent Czmok http://www.czmok.de/ mailto:jan.czmok@epost.de Tel. +49-(0)-6127-997448 Cell. +49-(0)-174-3074404 "Beware of routing loops.. You may fall into them"
When refering to points of failure, its important to note that not just economic centers are vulerable. I mean, ever notice how much fiber goes through kansas city? On Mon, Sep 24, 2001 at 01:56:46AM +0200, Jan-Ahrent Czmok wrote:
On Mon, 24 Sep 2001 00:00:30 +0100 Alex Bligh <alex@alex.org.uk> wrote:
AB> 111 8th Avenue. These buildings are significant PoF in NY, and AB> NY itself is pretty much an SPoF as far as transatlantic communication AB> is concerned.
Well.. I would declare the SPoF rather in the whole area. Fibre trails are coming in from the seaside mostly near Mineola.
AB> A preplanned response would be useful here. Not having AB> the PoF's would be more useful.
The question has to be answered by the Fibre Owners. They can solve the issue. If they do is another question
--jan
-- Jan-Ahrent Czmok http://www.czmok.de/ mailto:jan.czmok@epost.de Tel. +49-(0)-6127-997448 Cell. +49-(0)-174-3074404 "Beware of routing loops.. You may fall into them"
--- Wayne Bouchard web@typo.org Network Engineer http://www.typo.org/~web/resume.html
On Sun, 23 Sep 2001 16:59:34 -0700 "Wayne E. Bouchard" <web@typo.org> wrote: WEB> When refering to points of failure, its important to note that not WEB> just economic centers are vulerable. I mean, ever notice how much WEB> fiber goes through kansas city? Therefore i would declare all important exchange points, cities and anything which has more than 1 telco there as volunerable. --jan -- Jan-Ahrent Czmok http://www.czmok.de/ mailto:jan.czmok@epost.de Tel. +49-(0)-6127-997448 Cell. +49-(0)-174-3074404 "Beware of routing loops.. You may fall into them"
On Mon, 24 Sep 2001, Jan-Ahrent Czmok wrote:
On Mon, 24 Sep 2001 00:00:30 +0100 Alex Bligh <alex@alex.org.uk> wrote:
AB> 111 8th Avenue. These buildings are significant PoF in NY, and AB> NY itself is pretty much an SPoF as far as transatlantic communication AB> is concerned.
Well.. I would declare the SPoF rather in the whole area. Fibre trails are coming in from the seaside mostly near Mineola.
Mostly? I donut think so; my recollection is a vast majority of trans-atlantic stuff coming in ocean and monmouth county, NJ (manasquan, etc). -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
On Sunday, September 23, 2001, at 09:33 PM, Alex Rubenstein wrote:
Mostly? I donut think so; my recollection is a vast majority of trans-atlantic stuff coming in ocean and monmouth county, NJ (manasquan, etc).
IIRC, a good deal of transatlantic fibre lands at the National Guard beach in Sea Girt (no public access). -Bill
dont forget too that a good part of transatlantic fiber is backhauled through the holland tunnel into lower manhattan, one of many reasons why all the co-los are on the lower west side (in addition to cheap buildings with heavy load capacity). also one of the (again many) reasons i presume the tunnel has remained closed. according to Telegeography, Inc of Washington DC most of the BIG capacity cables like Mercus-1 and TAT14 come ashore in New Jersey around Manasquan. its mostly the older stuff that arrives on Long Island. --- Alex Rubenstein <alex@nac.net> wrote:
On Mon, 24 Sep 2001, Jan-Ahrent Czmok wrote:
On Mon, 24 Sep 2001 00:00:30 +0100 Alex Bligh <alex@alex.org.uk> wrote:
AB> 111 8th Avenue. These buildings are
AB> NY itself is pretty much an SPoF as far as
significant PoF in NY, and transatlantic communication
AB> is concerned.
Well.. I would declare the SPoF rather in the whole area. Fibre trails are coming in from the seaside mostly near Mineola.
Mostly? I donut think so; my recollection is a vast majority of trans-atlantic stuff coming in ocean and monmouth county, NJ (manasquan, etc).
===== Anthony Townsend Taub Urban Research Center New York University email: anthony.townsend@nyu.edu tel: 212-998-7502 SMS: anthony@voicestream.net (140 chars max) Yahoo Messenger: townsnda __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com
tat-14's landing sites are green hill, rhode-island and shirley, new york are they not? joelja On Mon, 24 Sep 2001, Anthony Townsend wrote:
dont forget too that a good part of transatlantic fiber is backhauled through the holland tunnel into lower manhattan, one of many reasons why all the co-los are on the lower west side (in addition to cheap buildings with heavy load capacity). also one of the (again many) reasons i presume the tunnel has remained closed.
according to Telegeography, Inc of Washington DC most of the BIG capacity cables like Mercus-1 and TAT14 come ashore in New Jersey around Manasquan. its mostly the older stuff that arrives on Long Island.
--- Alex Rubenstein <alex@nac.net> wrote:
On Mon, 24 Sep 2001, Jan-Ahrent Czmok wrote:
On Mon, 24 Sep 2001 00:00:30 +0100 Alex Bligh <alex@alex.org.uk> wrote:
AB> 111 8th Avenue. These buildings are
AB> NY itself is pretty much an SPoF as far as
significant PoF in NY, and transatlantic communication
AB> is concerned.
Well.. I would declare the SPoF rather in the whole area. Fibre trails are coming in from the seaside mostly near Mineola.
Mostly? I donut think so; my recollection is a vast majority of trans-atlantic stuff coming in ocean and monmouth county, NJ (manasquan, etc).
===== Anthony Townsend Taub Urban Research Center New York University email: anthony.townsend@nyu.edu tel: 212-998-7502 SMS: anthony@voicestream.net (140 chars max) Yahoo Messenger: townsnda
__________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com
-- -------------------------------------------------------------------------- Joel Jaeggli joelja@darkwing.uoregon.edu Academic User Services consult@gladstone.uoregon.edu PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -------------------------------------------------------------------------- It is clear that the arm of criticism cannot replace the criticism of arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of the right, 1843.
At 01:33 PM 9/24/01 -0700, Joel Jaeggli wrote:
tat-14's landing sites are green hill, rhode-island and shirley, new york are they not?
joelja
I saw that you answered your own question, but to elaborate, the TAT-14 domestic landing points are Tuckerton, NJ and Manasquan, NJ. -Steve
On Mon, 24 Sep 2001, Alex Bligh wrote:
I think the effect on the Internet & Telecoms infrastructure (as opposed more important things such as human life) would have been far greater had the 2 NY planes hit 60 Hudson and 111 8th Avenue. These buildings are significant PoF in NY, and NY itself is pretty much an SPoF as far as transatlantic communication is concerned. A preplanned response would be useful here. Not having the PoF's would be more useful.
There are, and always will be points of failure. The mistake people make is thinking they can build a bunker strong enough. You can't build a building, vault, bunker, missle silo which can withstand everything. The question is really how do you manage your network diversity. The loss of something like 60 Hudson shouldn't cause more than an annoying route flap in your network. Exchange points like MAE-East have completely failed in the past. There have been multiple fiber cuts in the same day. Well designed networks continued to work. Although I'l admit, it is hard work. You can't rely on a carrier to do it for you. Grooming happens. The biggest risk in most networks aren't the national exchange points, although they get the press. All national providers, and most regional providers are interconnected to multiple geographically diverse points. The point in the network with limited diversity is the LEC end-offices. And I use "LEC" deliberately, because even if you use a CLEC, most of the time you are using the LEC for the last mile. You may have great path diversity for 3,000 miles across the continent, but then you go through 140 West Street, or Rochelle Park or some other LEC office. Even if you thought you went through Broad Street, a lot of folks found out they were in fact routed through West Street. Ok, so I just said you can't build a bunker strong enough. Are carrier hotels, like 60 Hudson, history? I don't think so. They have better diversity, better backup systems, and better security than normal offices. The concentration of bandwidth and carriers allowed very fast restoration and re-routing between locations still standing. Carriers were using other carrier's circuits to restore facilities. We may see some movement away from downtown areas, where the danger is a near miss instead of being a direct target. If you can't afford to build your own colo, are you better off hanging off a spoke from a LEC central office. Or putting your equipment in a building with built in diversity. In general, it is best to put your equipment as close as possible to the point of diversity. You can do this by either moving the point of diversity close to you, or moving your equipment closer to the diversity. Being at the end of a 6,000 foot T1 circuit to a CO is the worst of both worlds. You will go down if an airplane hits either your office, or the CO, or any point along that 6,000 feet of T1 circuit.
--On Monday, September 24, 2001 7:19 AM -0400 Sean Donelan <sean@donelan.com> wrote:
The loss of something like 60 Hudson shouldn't cause more than an annoying route flap in your network.
My point being that building a network which doesn't have more than an annoying route flap, if /both/ 60 Hudson and 111 8th avenue are lost, is extremely hard (*) (especially if it has a transatlantic component). And that's true even if you have your own fiber. (*) hard means that it isn't compatible with existing topologies, and building new ones is expensive. Alex Bligh Personal Capacity.
On Mon, 24 Sep 2001, Alex Bligh wrote:
My point being that building a network which doesn't have more than an annoying route flap, if /both/ 60 Hudson and 111 8th avenue are lost, is extremely hard (*) (especially if it has a transatlantic component). And that's true even if you have your own fiber.
(*) hard means that it isn't compatible with existing topologies, and building new ones is expensive.
Which brings me back to my original question. Are there specific locations which are more important to the functioning of the Internet than others? You can't simply say everything is important. The FAA breaks airports down into several catagories, large airports, medium airports and small airports. A large airport has 1% or more of the passenger traffic. Are there specific locations which handle 1% or more of the Internet's traffic (assuming we had figures for the total amount of traffic).
Sean Donelan wrote:
On Mon, 24 Sep 2001, Alex Bligh wrote:
My point being that building a network which doesn't have more than an annoying route flap, if /both/ 60 Hudson and 111 8th avenue are lost, is extremely hard (*) (especially if it has a transatlantic component). And that's true even if you have your own fiber.
(*) hard means that it isn't compatible with existing topologies, and building new ones is expensive.
Which brings me back to my original question. Are there specific locations which are more important to the functioning of the Internet than others? You can't simply say everything is important. The FAA breaks airports down into several catagories, large airports, medium airports and small airports. A large airport has 1% or more of the passenger traffic. Are there specific locations which handle 1% or more of the Internet's traffic (assuming we had figures for the total amount of traffic).
The national air traffic system makes a poor analogy to the Internet in this case, IMHO. If O'Hare got nuked tomorrow, we'd have some serious disruption in passenger traffic. If PAIX fell into the ocean, OTOH, traffic would simply route around it. Isn't that how we try to engineer the Internet? So in other words, yes, everything is important, and yes, nothing is particularly important. Grant -- Grant A. Kirkwood - grant@virtical.net Chief Technology Officer - Virtical Solutions, Inc. http://www.virtical.net/
"Grant A. Kirkwood" wrote:
Sean Donelan wrote:
On Mon, 24 Sep 2001, Alex Bligh wrote:
The national air traffic system makes a poor analogy to the Internet in this case, IMHO. If O'Hare got nuked tomorrow, we'd have some serious disruption in passenger traffic. If PAIX fell into the ocean, OTOH, traffic would simply route around it. Isn't that how we try to engineer the Internet?
So in other words, yes, everything is important, and yes, nothing is particularly important.
But there was a point in time when taking out a certain parking garage in Va could have caused us a very great deal of difficulty. But I'd say we are past that, for the most part. Bob
On Mon, 24 Sep 2001, Bob Bownes wrote:
But there was a point in time when taking out a certain parking garage in Va could have caused us a very great deal of difficulty. But I'd say we are past that, for the most part.
Are we? When 25 Broadway failed, approximately 1% of the global Internet routing table also disappeared. Which I would guess qualifies it as a "major" hub. Verizon still has 100,000 lines out of service, and only now begun to restore service to "small" businesses. A couple of years ago a fiber cut in Ohio disrupted about 20% of the Internet routing table.
Sean Donelan wrote:
On Mon, 24 Sep 2001, Bob Bownes wrote:
But there was a point in time when taking out a certain parking garage in Va could have caused us a very great deal of difficulty. But I'd say we are past that, for the most part.
Are we?
When 25 Broadway failed, approximately 1% of the global Internet routing table also disappeared. Which I would guess qualifies it as a "major" hub.
But does that mean that X number of sites were unreachable, or that there were simply Y number fewer routes to X sites? (Excluding those *directly* affected, ie; those *in* 25 Broadway)
Verizon still has 100,000 lines out of service, and only now begun to restore service to "small" businesses.
Yes, but my understanding was that we were referring to IP traffic. POTS doesn't exactly have a built-in routing protocol.
A couple of years ago a fiber cut in Ohio disrupted about 20% of the Internet routing table.
But again, does this mean that 20% of the Internet was unreachable, or that there were 20% fewer routes to a given number of (hopefully multihomed) sites? No, this question is not rhetorical... I simply don't have any imperical evidence to look at that could adequately answer this question. Grant -- Grant A. Kirkwood - grant@virtical.net Chief Technology Officer - Virtical Solutions, Inc. http://www.virtical.net/
One thing to keep in mind that the number of routes that disappeared from the routing table, while a start, is in no way the final arbiter of how a particular incident affected the internet's performance. While the direct effect is obvious, other, less easily measurable consequences can result from the loss of capacity producing congestion on the remaining network infrastructure, as well as increased latency resulting from longer backhauls. If there's plenty of available backup bandwidth, this effect wil be minimal, but if not, let the pain begin. As an example, a certain DSL provider has had to reroute their Covad PVCs from 25 Broadway to their Boston and Washington, DC installations, resulting in their capacity to Covad in those locations being almost completely pegged 24/7. Not fun to be their customer in any of these areas right about now. -Chris On Mon, Sep 24, 2001 at 12:22:08PM -0700, Grant A. Kirkwood wrote:
Sean Donelan wrote:
On Mon, 24 Sep 2001, Bob Bownes wrote:
But there was a point in time when taking out a certain parking garage in Va could have caused us a very great deal of difficulty. But I'd say we are past that, for the most part.
Are we?
When 25 Broadway failed, approximately 1% of the global Internet routing table also disappeared. Which I would guess qualifies it as a "major" hub.
But does that mean that X number of sites were unreachable, or that there were simply Y number fewer routes to X sites? (Excluding those *directly* affected, ie; those *in* 25 Broadway)
Verizon still has 100,000 lines out of service, and only now begun to restore service to "small" businesses.
Yes, but my understanding was that we were referring to IP traffic. POTS doesn't exactly have a built-in routing protocol.
A couple of years ago a fiber cut in Ohio disrupted about 20% of the Internet routing table.
But again, does this mean that 20% of the Internet was unreachable, or that there were 20% fewer routes to a given number of (hopefully multihomed) sites?
No, this question is not rhetorical... I simply don't have any imperical evidence to look at that could adequately answer this question.
Grant
-- Grant A. Kirkwood - grant@virtical.net Chief Technology Officer - Virtical Solutions, Inc. http://www.virtical.net/
Sean Donelan wrote:
On Mon, 24 Sep 2001, Bob Bownes wrote:
But there was a point in time when taking out a certain parking garage in Va could have caused us a very great deal of difficulty. But I'd say we are past that, for the most part.
Are we?
When 25 Broadway failed, approximately 1% of the global Internet routing table also disappeared. Which I would guess qualifies it as a "major" hub.
But does that mean that X number of sites were unreachable, or that there were simply Y number fewer routes to X sites? (Excluding those *directly* affected, ie; those *in* 25 Broadway)
From what point did 1% of the routing table disappear? Was the same visable from multiple, diverse points? I expect that from some perspectives, 100% of the routing table disappeared and some places didn't even see a blip. --bill
On Mon, 24 Sep 2001 bmanning@vacation.karoshi.com wrote:
When 25 Broadway failed, approximately 1% of the global Internet routing table also disappeared. Which I would guess qualifies it From what point did 1% of the routing table disappear? Was the same visable from multiple, diverse points?
I expect that from some perspectives, 100% of the routing table disappeared and some places didn't even see a blip.
The Internet as we know it is just a collective illusion. You are correct from one side of the partion, 99% of the routes disappeared and on the other side 1% of the routes disappeared. I checked four different BGP feeds from a mix of providers, and they were fairly consistent. But percentage of routes is just one way to measure "importance." It may not be the best way. Other methods include 1. Number of stock options owned by Very Important People 2. CAIDA skitter traces of routers of confluence 3. Number of OC-192 links in a building 4. Number of "Tier 1" providers in a building 5. Government fiat 6. Wait for the building to fall down and see what happens Assuming there are locations more impotant than others, should we do anything? Or should we just hope no one else figures out where they are?
On Tue, 25 Sep 2001, Sean Donelan wrote: :But percentage of routes is just one way to measure "importance." :It may not be the best way. Other methods include : : 1. Number of stock options owned by Very Important People : 2. CAIDA skitter traces of routers of confluence : 3. Number of OC-192 links in a building : 4. Number of "Tier 1" providers in a building : 5. Government fiat : 6. Wait for the building to fall down and see what happens Is there a geometric method of measuring the 'meshedness' of a given set? If you take all the as-paths from a sampling of peers across the Internet, and show the relative density of where the respective paths converge, you can get a good picture of who's transiting the most routes. Now this doesn't show physical connections, as an AS can represent an area that spans continents, but it shows who is responsible, which in any DRP/BCP is among the first things established. :Assuming there are locations more impotant than others, should :we do anything? Or should we just hope no one else figures out :where they are? Well, the gov, or an industry consortium can find these dense transit areas and require that organizations with (eg.)2 or more peers have some semblance of a DRP/BCP plan that can be audited. The plan doesn't nessecarily have to garuntee connectivity, but establish whether they can be trusted to route packets if the DRP/BCP has to be initialized. After all, we are talking about the Internet, and though many orgs control lots of different parts of the infrastructure, maybe a plan just for layer 3 might be worth persuing. So maybe a large percentage of traffic gets routed through 60 hudson, the providers that are located there would each have to have diverse enough infrastructure/routing policies to contend with the unavailability of their equipment at that facility, to qualify as an Infrastructure Carrier. In short, I think that a plan like this should start on ground we all know and have the power to negotiate on, which is layer 3. -- batz Reluctant Ninja Defective Technologies
On Tue, Sep 25, 2001 at 04:04:38PM -0400, batz wrote: [snip]
Is there a geometric method of measuring the 'meshedness' of a given set? If you take all the as-paths from a sampling of peers across the Internet, and show the relative density of where the respective paths converge, you can get a good picture of who's transiting the most routes.
The mathematical term 'connectivity' measures the least number of vertices that has to be destroyed to stop a network from being fully connected. Any network that contains a SPoF (even if it only causes one small bit to go lost) has a connectivity of '1'. Any network that you need to hit at least 2 vertices (routers and switches would be vertices, lines would be edges) has a connectivity of '2'. There are very nice mathematical methods for determining the connectivity and connectionness of a graph (network). I can recommend Skiena's "The algorithm design manual" for anybody interested. It is supposedly available online in HTML (I bought the dead tree version :) Greetz, Peter -- Monopoly http://www.dataloss.nl/monopoly.html
note that richer meshes may increase forwarding reliability but they exacerbate routing convergence problems. see abha's nanog presentation. randy
--On Tuesday, 25 September, 2001 1:18 PM -0700 Randy Bush <randy@psg.com> wrote:
note that richer meshes may increase forwarding reliability but they exacerbate routing convergence problems. see abha's nanog presentation.
&, particularly where such meshes are formed in part from multiple providers, the probability of the types of critical errors caused by the failure of any one the providers (as opposed to those which require all of the providers to go down). [trivial example: most people don't filter their upstreams at all. if you have n upstreams, then if any one gets hacked and decides to send 100,000,000 routes at you, you die. Probability increases with n] Alex Bligh Personal Capacity
Some cites have peering and co-locations diversity, some don't. InfoMart & Westin Building come to mind. Those should rank high by your list. At 13:19 -0400 25-09-2001, Sean Donelan wrote:
On Mon, 24 Sep 2001 bmanning@vacation.karoshi.com wrote:
When 25 Broadway failed, approximately 1% of the global Internet routing table also disappeared. Which I would guess qualifies it From what point did 1% of the routing table disappear? Was the same visable from multiple, diverse points?
I expect that from some perspectives, 100% of the routing table disappeared and some places didn't even see a blip.
The Internet as we know it is just a collective illusion.
You are correct from one side of the partion, 99% of the routes disappeared and on the other side 1% of the routes disappeared. I checked four different BGP feeds from a mix of providers, and they were fairly consistent.
But percentage of routes is just one way to measure "importance." It may not be the best way. Other methods include
1. Number of stock options owned by Very Important People 2. CAIDA skitter traces of routers of confluence 3. Number of OC-192 links in a building 4. Number of "Tier 1" providers in a building 5. Government fiat 6. Wait for the building to fall down and see what happens
Assuming there are locations more impotant than others, should we do anything? Or should we just hope no one else figures out where they are?
-- Joseph T. Klein +1 414 915 7489 Senior Network Engineer jtk@titania.net Adelphia Business Solutions joseph.klein@adelphiacom.com "... the true value of the Internet is its connectedness ..." -- John W. Stewart III
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also keep in mind the trends that the "consumers" of the service use; If ohare got nuked, you would also see a serious DROP off in passengers; much as the airlines are seeing right now. If PAIX fell into the ocean, presumably there would be other things going with it, and there would be an INCREASED usage on the net as people try to scour for information.. Not that that's particularly related to the issue, just another example of why it's a poor analogy.. My $0.02 Regards, Matt (BTW, I'm flying thru ohare tomorrow, so if anybody has aforementioned intentions, please re-schedule.) - -- Matt Levine @Home: matt@deliver3.com @Work: matt@easynews.com ICQ : 17080004 PGP : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6C0D04CF "The Trouble with doing anything right the first time is that nobody appreciates how difficult it was." - -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Grant A. Kirkwood Sent: Monday, September 24, 2001 2:43 PM To: Sean Donelan; nanog@merit.edu Subject: Re: Points of Failure (was Re: National infrastructure asset) Sean Donelan wrote:
On Mon, 24 Sep 2001, Alex Bligh wrote:
My point being that building a network which doesn't have more than an annoying route flap, if /both/ 60 Hudson and 111 8th avenue are lost, is extremely hard (*) (especially if it has a transatlantic component). And that's true even if you have your own fiber.
(*) hard means that it isn't compatible with existing topologies, and building new ones is expensive.
Which brings me back to my original question. Are there specific locations which are more important to the functioning of the Internet than others? You can't simply say everything is important. The FAA breaks airports down into several catagories, large airports, medium airports and small airports. A large airport has 1% or more of the passenger traffic. Are there specific locations which handle 1% or more of the Internet's traffic (assuming we had figures for the total amount of traffic).
The national air traffic system makes a poor analogy to the Internet in this case, IMHO. If O'Hare got nuked tomorrow, we'd have some serious disruption in passenger traffic. If PAIX fell into the ocean, OTOH, traffic would simply route around it. Isn't that how we try to engineer the Internet? So in other words, yes, everything is important, and yes, nothing is particularly important. Grant - -- Grant A. Kirkwood - grant@virtical.net Chief Technology Officer - Virtical Solutions, Inc. http://www.virtical.net/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO6+Elcp0j1NsDQTPEQJAZwCghRKAooQt06lfAnicImgHPalYWtUAoM5e qsPIHuX1PsGh+Fz3VFIUPYLh =0Xjs -----END PGP SIGNATURE-----
Which brings me back to my original question. Are there specific locations which are more important to the functioning of the Internet than others? You can't simply say everything is important. The FAA
Ona physical layer, there are WAY too many points where lots of fiber from multiple providers crosses the same bridge.... uses the same railroad right of way... too many to think about and stay sane,
Date: Mon, 24 Sep 2001 18:17:45 -0400 (EDT) From: mike harrison <meuon@highertech.net>
Ona physical layer, there are WAY too many points where lots of fiber from multiple providers crosses the same bridge.... uses the same railroad right of way... too many to think about and stay sane,
Considering the high cost of right-of-way, it's no wonder. I wonder if this will affect people's and various jurisdictions' views on the importance of allowing companies to dig. I agree that the lack of physical redundancy is scary. But, given the difficulty of negotiating ROW, how does an entity competitively dig where no one has dug before? Right of way... the final frontier. (Apologies to Voyager.) Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
Everyone: I know it's difficult to refrain from comment, but let's try to remember that the bad guys read this list too. While they may not have the knowledge of critical communication infrastructure points, they can certainly find and target them if we point them in the right direction. This pertains not only to our side of the ponds, but to overseas as well. We all know where the 'soft targets' of our infrastructures are located - let's keep it to ourselves or, at the very least, within small private discussion groups where everyone knows everyone and not on the public list. Tim
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Timothy R. McKee Sent: September 24, 2001 8:29 PM To: nanog@merit.edu Subject: RE: Points of Failure (was Re: National infrastructure asset) Importance: High
I know it's difficult to refrain from comment, but let's try to remember that the bad guys read this list too. While they may not have the knowledge of critical communication infrastructure points, they can certainly find and target them if we point them in the right direction. This pertains not only to our side of the ponds, but to overseas as well. We all know where the 'soft targets' of our infrastructures are located - let's keep it to ourselves or, at the very least, within small private discussion groups where everyone knows everyone and not on the public list.
Why would security by obscurity work in this case? Any terrorist with a quarter of a clue can find out the addresses of enough critical buildings to cause a huge disaster in about 30 minutes (*hint* Find sites for providers that have hardware coloed in major buildings and that list the addresses of these POPs. No names will be provided, but I have at least one in my mind. Repeat this process with some major peering points, a listing of which is quite easy to find). I might add that it's much easier to find this out than it is to crash some airplanes into prominent US buildings; I doubt a 30 minute Google search would tell you how to pilot airplanes, but perhaps I'm just a little naive. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
secrets are bad for everyone... joelja On Mon, 24 Sep 2001, Timothy R. McKee wrote:
Everyone: I know it's difficult to refrain from comment, but let's try to remember that the bad guys read this list too. While they may not have the knowledge of critical communication infrastructure points, they can certainly find and target them if we point them in the right direction. This pertains not only to our side of the ponds, but to overseas as well. We all know where the 'soft targets' of our infrastructures are located - let's keep it to ourselves or, at the very least, within small private discussion groups where everyone knows everyone and not on the public list. Tim
-- -------------------------------------------------------------------------- Joel Jaeggli joelja@darkwing.uoregon.edu Academic User Services consult@gladstone.uoregon.edu PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -------------------------------------------------------------------------- It is clear that the arm of criticism cannot replace the criticism of arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of the right, 1843.
On Mon, Sep 24, 2001 at 08:29:00PM -0400, Timothy R. McKee wrote:
I know it's difficult to refrain from comment, but let's try to remember that the bad guys read this list too. While they may not have the knowledge of critical communication infrastructure points, they can certainly find and target them if we point them in the right direction [...]
Locating carrier hotels, fibre landing points, cable routes, and other key infrastructure locations is by no means difficult. I'm all for ridding the world of terrorism and whatnot, but it's not like we're doing anyone a favor by falsely maintaining a veil of secrecy. -a
I know it's difficult to refrain from comment, but let's try to remember that the bad guys read this list too. While they may not have the knowledge of critical communication infrastructure points, they can certainly find and target them if we point them in the right direction.
I'd actually argue the opposite. It's difficult to face this, but we know we ARE vulnerable. The important long term solution is that we need to address our weaknesses. By acknowleding where the critical points are, AND PLANNING TO DEAL WITH THEIR LOSS, we make the system that much harder to defeat. It's burying of our heads in the sand that caused the problem in the first place (the WTC bombing, that is). People thought it would be easier to pretend terrorists would never figure something like this out, than asking if 'feel-good' measures with no real substance were worth bothering with.
This pertains not only to our side of the ponds, but to overseas as well. We all know where the 'soft targets' of our infrastructures are located - let's keep it to ourselves or, at the very least, within small private discussion groups where everyone knows everyone and not on the public list.
While I'd agree that there's no reason to constantly advertise the problems, it's in free and open discussions that the best solutions are often found. Groups of known members have a tendency to fall into patterns, missing the same holes and making the same mistakes. The more open the group, the more likely any solutions will solve the general case instead of focusing on the same details and missing others. (Granted, it's also more likely that discussions will fall into petty bickering, but hopefully we're all motivated enough to come back to looking at the real problem)
On Mon, 24 Sep 2001, mike harrison wrote:
Ona physical layer, there are WAY too many points where lots of fiber from multiple providers crosses the same bridge.... uses the same railroad right of way... too many to think about and stay sane,
Under the new Anti-Terrorism Act, damaging communication lines, stations or systems would become a Federal Terrorism Offense. I feel sorry for the backhoe operators.
Being at the end of a 6,000 foot T1 circuit to a CO is the worst of both worlds.
Hum... but in this case I have direct control on the physical access to my hardware. For some, this outweighes the "proximity to diversity" of telecoms paths. If I want (non-authentic) copies of the data spread far and wide, thats a service I can buy from a number of suppliers. I don't have to put -MY- hardware close to the telecoms mesh. I want my keyserver where I know I can protect it from barbarian hordes. In such a case, a long, thin gauntlet might be the best choice. --bill
--- Timothy Brown <timothy.brown@pobox.com> wrote:
It is my understanding that the US Government has "national infrastructure" inside Exodus facilities. As for what that means precisely, it's anyone's guess.
What it means is that the US Treasury, and specifically the IRS, depend heavily on those facilities to process electronic transactions including electronic filing of tax returns. Obviously "national infrastructure" would include the means of financiing the Government. -Jim P. __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com
participants (28)
-
Adam Rothschild
-
Alex Bligh
-
Alex Rubenstein
-
Anthony Townsend
-
batz
-
Bill McGonigle
-
bmanning@vacation.karoshi.com
-
Bob Bownes
-
Chris Woodfield
-
E.B. Dreger
-
Grant A. Kirkwood
-
Jan-Ahrent Czmok
-
Jeffrey Meltzer
-
Jim Popovitch
-
Joel Jaeggli
-
Joseph T. Klein
-
Matt Levine
-
Matt Zito
-
mike harrison
-
Peter van Dijk
-
Randy Bush
-
ray
-
Sean Donelan
-
Steve Meuse
-
Timothy Brown
-
Timothy R. McKee
-
Vivien M.
-
Wayne E. Bouchard