Alternative to BGP-4 for multihoming?
Radware has a product called Linkproof and claims that it negates the need for BGP-4 and portable IP addresses: http://www.radware.com/product/lproof/Default.htm I have a customer that requires multihoming and they want to use Linkproof and I want them to do BGP-4. Does anyone have any experience using this as an alternative to BGP-4? Thanks, Hank
On Wed, Mar 01, 2000 at 05:42:04PM +0200, Hank Nussbacher wrote:
This is kinda funny: "LinkProof's simplicity and fault tolerance features enable ISPs to introduce redundant Internet access to new and existing clients. It provides a simple, seamless solution for ISPs who want to upgrade their sites to multiple links without deploying and maintaining advanced proprietary routing protocols." Now, where is the proprietary in BGP4 as opposed to LinkProof. Just wondering. /Niels Chr. -- Niels Christian Bank-Pedersen, NCB1-RIPE. Network Manager, Tele Danmark NET, IP-section. "Hey, are any of you guys out there actually *using* RFC 2549?"
Looking only at this web page, I don't see that it *doesn't* use BGP. If it's going to interact with providers it has to speak BGP, yes? It looks to me like it just automates managing multiple connections, through a proprietary protocol for exchanging status between the connection points -- routing information, link quality, NAT status, etc. (I hope it doesn't do anything which would cause significant churn in the routing advertisements, since that could have an effect far beyond their local area.) ...Scott At 17:42 03/01/2000 +0200, Hank Nussbacher wrote:
The documentation is pretty vague on a few points, but it looks like all it does is NAT and (possibly, it's very bague on this point) resolve DNS for servers based on what it thinks is the best path to use. There's just a static route on your side; the customer gets a network from each ISP, and the LinkProof NATs to whichever network it thinks is best. Good points: He isn't peering with you. You don't need to do anything to support this. Just statically route him and let him do the rest. Bad points: He asked if you support it; ergo, he doesn't know how it works. Prepare your NOC/customer service folks for this guy to call in and bitch if the thing fails. It's also wasteful of IP addresses if the guy's got a big network back there, since he has to number every machine seperately for every connection he's got. Lastly, they're really vague in the online docs on how, exactly, they redirect traffic going to the customer. They just say they redirect it, and later say that the box will be "taking responsibility for... DNS support for resources that need to be accessed from the Internet." Sounds iffy to me. In short, if it were my customer, I'd say something like, "It's your funeral. Have a ball." Only I'd say it nicely. -Dave Hank Nussbacher <hank@att.net.il> wrote:
On Wed, 1 Mar 2000, David Israel wrote:
Oy. This stuff seems similar to what I ran on my home network(NAT plus smart DNS servers that gave out IPs on the links that were up). It worked semi-decent, only that failover sometimes took ages because of all the DNS caches in the world which don't care which TTL you set, or have a notion of 'minimal TTL' below which they won't accept your records, end clients caching records infinitely (well, until the next reboot/app restart). All in all, I'd say it works in 95% of cases, and certainly good enough for home network, but using it in enterprise connectivity is silly. -- Alex Pilosov | http://www.acecape.com/dsl Acecape, Inc. | AceDSL:The best ADSL in Bell Atlantic area 325 W 38 St. Suite 1005 | New York, NY 10018 |
F5's 3DNS will accomplish the same. The redundancy is provide via DNS as opposed to having to worry about network advertisements via BGP4. Essentially, the 3DNS box assumes the DNS entry for the site for which the customer requires multihoming and it intelligently balances traffic amongst any geographically disparate sites. This allows for high availability. *********** REPLY SEPARATOR *********** On 3/1/00 at 5:42 PM Hank Nussbacher wrote:
------- Peter Van Oene Senior Systems Engineer UNIS LUMIN Inc. www.unislumin.com
F5's 3DNS will accomplish the same. The redundancy is provide via DNS as opposed to having to worry about network advertisements via BGP4.
Okay, but all drugs aside, if you're "having to worry about" BGP then you're already unstable. (You, not your network). DNS was not and is not a mechanism for redundant connections. BGP is. Anyone who tells you otherwise is trying to sell you something. - TPB E
[After translating that to English and then into usable form, I still have to say "Essentially, that's bullshit. This allows for bullshit."] E
*********** REPLY SEPARATOR ***********
On 3/1/00 at 5:42 PM Hank Nussbacher wrote:
"Peter A. van Oene" wrote:
If I'm not mistaken, it accomplishes this in a somewhat obtrusive manner. The box attempts an xfer back to TCP/53 on the querying DNS server. Based on response time, a proper route is chosen. I've seen a lot of posts to Intrusion & GIAC from people who assumed someone was trying enumeration in preparation for an attack, only to find out it was one of these boxes. I also seem to remember a post on GIAC showing Snort traces of one of these boxes actually performing a full xfer if the box was not locked down. Do you use one of these boxes? If so, any idea what happens to the xfer data? Ignoring the argument as to whether its appropriate to attempt xfers on unsuspecting networks, I also see this as being pretty inefficient. A good quantity of sites are now running split DNS so the querying server is not even reachable. This means a fair percentage of the time the load balance attempt will outright fail. Don't see this replacing BGP anytime soon. ;) Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
"Peter A. van Oene" wrote:
Essentially, the 3DNS box assumes the DNS entry for the site for which
This is great feedback / moderate flaming. However, consider the following. I have only moderate experience with the F5 3DNS & similar products however I am familiar with BGP routing. My client base are high traffic e-commerce style (for lack of a better over used marketing term) web sites. They sit on /28's and smaller in some cases. I'm certainly not going to be successful in acquiring ASN's for these people to do proper load balancing between multiple ISP's and most major ISP's see little benefit in modifying route tables to include our small netblock. Its these cases I'm concerned with. In my mind, irrespective of the comments on the functionality of DNS for this purpose, I see little other choice. As a direct FYI, the 3DNS can make fairly intelligent decisions about where to direct traffic beyond simply gauging TCP/53 handshake times. These is quite a detailed, informatative interaction that can take place between the 3DNS and F5's local load distributor, the BIG-IP. That being said, if anyone has better ideas on how to provide for high availability to millions of web sites worldwide, please let me know. Pete *********** REPLY SEPARATOR *********** On 3/12/00 at 1:32 PM Chris Brenton wrote: the
------- Peter Van Oene Senior Systems Engineer UNIS LUMIN Inc. www.unislumin.com
Products like the Nortel Accelar 700 do layer 7 redirect. http://www.nortelnetworks.com/products/02/datasheets/3377.html ----- Original Message ----- From: "Peter A. van Oene" <vantech@sympatico.ca> To: <nanog@merit.edu> Sent: Sunday, March 12, 2000 4:44 PM Subject: Re: Alternative to BGP-4 for multihoming?
Dana Hudes wrote:
Products like the Nortel Accelar 700 do layer 7 redirect. http://www.nortelnetworks.com/products/02/datasheets/3377.html
you should read that datasheet more closely. When handling multiple sites, this product does something questionable, just as the F5 and other brands do. In the case of this Nortel product, it pings the original user's DNS server:
From this data sheet:
"The Accelar 790 Server Switch can offer such services because it uses standard DNS and OSPF protocols. Here's how it works: When the client initially requests a URL, his or her browser sends a resolution request to the local DNS server - the typical scenario. But with the Accelar 790, the DNS tree does not contain the physical IP address of the URL server. Instead, the DNS tree is populated with the IP address of a master Accelar 790 Server Switch. This Accelar IP address bears a flag to indicate that it is the DNS server that can resolve the URL IP address. The client's local DNS server will then submit the DNS request to the master Accelar 790. The master will forward the client IP address and requested URL to all other Accelar 790 Server Switches that are providing points of presence for the requested URL. Each Accelar 790 will ping the client's DNS server and return the router hop count and latency as well as their local server load for the URL. The master 790 will choose the best response time and forward that IP address to the client's DNS server. The client's browser will cache that IP address and use it for the remainder of the session." So, provided you permit ICMP traffic to your DNS servers, and provided that traffic is routed through various providers' networks along the same paths as the DNS and web traffic, this approach might work. What is also inherent in this product is a packet amplification. Every time a DNS request comes to one of these boxes, a set of ping packets is fired at the source IP address of the DNS request, not to mention the site-to-site traffic generated. This can be accomplished using a single UDP packet. If such packet is spoofed... Looks to me like this product is capable of resulting in a denial of service against the site running the boxes, and being used to cause a DoS against other sites.
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
If the goal is to direct traffic from a client to the closest server farm, why not just build a box to do a BGP lookup and respond to a name lookup with the IP of that farm? No pings or zone transfers necessary. -travis ----- Original Message ----- From: "Daniel Senie" <dts@senie.com>
At 16:44 12/03/00 -0500, Peter A. van Oene wrote: After knocking the Linkproof, I started to dig deeper and do believe that for certain sites it does provide a solution. Things that BGP can't do, like load the links via either least traffic, round robin, or least flows; checking proximity via hops, latency and load - and each of these variables the user can assign a weight; supports routing for RIP II or OSPF, and a bunch of other features. Yes, it has some warts (sends out dns with ttl=0 which not everyone will like; sends out 2 A records (if enabled) for all queries), is not approrpriate for huge sites, but for small sites that have 2-3 T1s in use via BGP, this may be solution. BGP was never meant to be a load balancing method. To quote from the RFC: Since BGP picks a �best� route based upon most specific prefix and shortest AS_PATH, it becomes non-trivial to figure out how to manually direct specific portions of internal traffic (prefixes) in a distributed fashion across multiple external gateways. We all know how hard it is to play with AS-path lengths and to get the links close to a 40-60% split. These black boxes provide a different option and a possible solution. I intend to have a customer test one for a period of a month and can report back here what we find. -Hank PS Anyone who wants the 392K PDF Users Manual for Linkproof can send me private email and when I have time I will ship it out.
Peter Check out Digital Island they run a private ATM network which is connected to most Tier1 ISP's worldwide you buy a pipe to them and they handle the redundancy issues I used them for a project and was VERY sucessful especially to the pacific rim where the public net tends to have somewhat indefferent perfomance. Scott "Peter A. van Oene" wrote:
On 12-Mar-2000 Peter A. van Oene wrote:
If you use 3DNS make sure you're able to put up with a lot of abuse complaints from other sites. It queries port 53 TCP (Domain) on systems to figure out the "best" site to serve data from using the RTT. Worst case, if you've got a paranoid ISP, you might even lose connectivity altogether. I can't see why the software needs to use 53/TCP - I'd have thought 53/UDP or ICMP echos would be less intrusive. Apparently it tries a domain XFER for some reason, although no sign of this in my logs. Can't see why doing an xfer would help load balancing decisions. A certain very, very, very, very, very large US software/OS company uses 3DNS and when I complained about a runaway port 53 scan against my systems (Which looks for all the world like some sort of DoS attack or probe) the security/ abuse guy I ended up was rather less than impressed with the 3DNS system. I got the impression they frequently get complaints about it. -- Ryan O'Connell - <ryan@on-line-finance.net> You are the Dancing Queen, young and sweet, only seventeen Dancing Queen, feel the beat from the tambourine You can dance, you can jive, having the time of your life See that girl, watch that scene, dig in the Dancing Queen
participants (13)
-
Alex Pilosov
-
Chris Brenton
-
Dana Hudes
-
Daniel Senie
-
David Israel
-
Ehud Gavron
-
Hank Nussbacher
-
Niels Chr. Bank-Pedersen
-
Peter A. van Oene
-
Ryan O`Connell
-
Scott McGrath
-
Scott W Brim
-
Travis Pugh