Date: Mon, 26 Dec 2005 01:27:09 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <danial_thom@yahoo.com>, "Loren M. Lang" <lorenl@alzatex.com> Cc: Yance Kowara <yance_kowara@yahoo.com>, freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Message-ID: <LOBBIFDAGNMAMLGJJCKNOEBNFDAA.tedm@toybox.placo.com> In-Reply-To: <20051223234650.70105.qmail@web33312.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: Danial Thom [mailto:danial_thom@yahoo.com] >Sent: Friday, December 23, 2005 3:47 PM >To: Ted Mittelstaedt; Loren M. Lang >Cc: Yance Kowara; freebsd-questions@freebsd.org >Subject: RE: FreeBSD router two DSL connections > > >Ted the incompetent, wrong on all counts once >again: > > >--- Ted Mittelstaedt <tedm@toybox.placo.com> >wrote: > >> >> >> >-----Original Message----- >> >From: Danial Thom >> [mailto:danial_thom@yahoo.com] >> >Sent: Wednesday, December 21, 2005 9:56 AM >> >To: Loren M. Lang; Ted Mittelstaedt >> >Cc: Yance Kowara; >> freebsd-questions@freebsd.org >> >Subject: Re: FreeBSD router two DSL >> connections >> > >> > >> >All upstream ISPs are >> >connected to everyone on the internet, so it >> >doesn't matter which you send your packets to >> >(the entire point of a "connectionless" >> network. >> >They both can forward your traffic to wherever >> >its going. >> >> They aren't going to forward your traffic >> unless >> it's sourced by an IP number they assign. To >> do otherwise means they would permit you to >> spoof IP >> numbers. And while it's possible some very >> small >> ISP's run by idiots that don't know any better >> might >> still permit this, their feeds certainly will >> not. > >Yes they will. I assure you they will not. >Routers route based on dest >address only. Are you somehow suggesting that an >ISP can't be dual homed and use only one link if >one goes down, since some of the addresses sent >up the remaining pipe wouldn't have source >addresses assigned by that upstream provider? ISP's that are dual-homed have to register their subnets with both providers. For example, suppose I'm a small ISP and I go get a Sprint connection and get assigned a range of 11 IP subnets, 192.168.1.0 - 192.168.10.0 These are Sprint-owned IP addresses of course. As I source traffic from 192.168.1.x, Sprint recognizes it as valid traffic and allows it to pass Sprint's ingress filter to me. Now I get a bit bigger and decide I need a redundant connection. So I contact ARIN and buy an AS number, then contact ATT and get a connection to them, then setup BGP between myself and ATT & Sprint. When ATT and I are setting up BGP, ATT's techs will ask me what subnets I'm advertising, I tell them 192.168.1.0 - 192.168.10.0 ATT then checks with ARIN's whois server to make sure Sprint has entered a record for that list of subnets that says I'm authorized to use them. If all that checks out OK then ATT adjusts their ingress filters so I can source traffic to them from those subnets. Now I get even bigger and need more IP's than what Sprint will provide, so I go to ARIN and buy them. Then all my feeds have to adjust their ingress filters to the new subnet. Now I get even more bigger and I start trying to setup peering relationships with other networks, so I don't have to pay them directly. Well now guess what, those networks are now monitoring the traffic volume I'm sending them, because they don't want me to use and abuse them and give them little peering in return. So I now have an enormous financial incentive to make sure that any traffic coming from any of my end users is in fact valid traffic, so you better believe I'm going to enforce that with ingress filters to my downstream customers. Anyway, this is all academic because the wrongly-sourced packet won't even get into my network to be forwarded and blocked by ATT or Sprint, or my peer routers, in the first place. Why? Because every wrongly-sourced packet I allow a customer to send to me, can potentially displace a correct packet from a customer, making their traffic slower and setting up potential for complaints. The ONLY Internet routers that don't igress filter today are transit routers run by transit ASs, and no network that is worth anything allows direct connections to those routers to their end-user customers. There is just too much potential for abuse, and even more potential for being blackholed as a rogue network by the rest of the Internet. Everybody today that knows anything about what they are doing, applies ingress filters, or they require their downstreams to ingress filter. In fact I'd say this is one of the reasons Cisco was disloged as the core router vendor by Juniper, because of the need for enough CPU in routers closer and closer to the core to be able to run access lists. Chances today that a cable line or a DSL line going to an end user could get a packet with a non-network source very far in to the Internet are zilch. One of the largest sources of bogus source IP numbers in fact are those cheap-as-shit DSL/Cable routers, as some of those models will ARP both their legal WAN IP address, and the LAN IP addresses, on their WAN port. All of the ActionTec routers do this in bridged mode, for example, and Qwest has thousands of them deployed. And the second largest source are infected PC's that have DDoS trojans on them, which some mothership has programmed to try to DDoS some poor bugger, with bougs sources. > You >are beyond clueless, Ted. Why do you keep opening >your mouth? > >> >> >For efficiencies sake, you may argue >> >that sending to the ISP that sent you the >> traffic >> >will be a "better path", but if one of your >> pipes >> >is saturated and the other running at 20% >> >> letsseenow, these are full duplex 'pipes', can >> we have some direction this saturation is >> taking >> place in? I mean, since you are at least >> trying to >> make a senseless explanation sound right, you >> might >> as well try a bit harder. > >Its not senseless, you just don't understand how >the internet works, apparently. I do this for a >living, and you just yap. > I pity your customers, frankly, since you aren't even familiar with basic anti-spoofing practices. If you really and truly do this for a living then almost certainly you do nothing with Internet routing and all your work is in corporate WANS. If that is the case then I pity your customers even more because any bozo on their network that gets a DDoS robot on it can take down their WAN. >If you were able to "send back" the data on the >"pipe it arrived on" then you would have uneven >use of the "pipes". So one could be saturation >the the other highly unused. That is correct, and that is in fact what happens and it is precisely why this rediculous attempt to "load balance" as you call it, does not work in real life. >Balancing the >outgoing data would reduce the latency that >occurs when a "pipe" is saturated. Its hard to >explain calculus to some who can't add or >subtract ted, so you should figure out how >routing works before you try something this >complicated. > It's hard to explain calculations when you don't know what they are. >> >> >then >> >its likely more efficient to keep your pipes >> >filled and send to "either" isp. You can >> achieve >> >this with per-packet load-balancing with >> ciscos, >> >> per packet load balancing is for parallel links >> between 2 endpoints. Not three, as in you, >> your first ISP, and your second ISP. > >Wrong again, Ted. Usually thats how it is used to >gain extra throughput, but thats not the only >thing that it can be used for. Since the internet >is connectionless (back to school for you Ted), >per packet balancing can utilize 2 outgoing pipes >to different ISPs as well. Obviously since >failover on dual-homed network works, you can >send your packets to any ISP you want. Routers >route based on destination address, as anyone who >knows how routers work knows. You can even use >per packet load balancing on 2 lines to the same >ISP when the other end doesn't support it; using >2 pipes in one direction and only one in the >other. You can be innovative when you actually >understand how things work, Ted. > Danial, this is really beyond humorous, I just think it's plain sad that you are so far out in left field. You have constructed a very long line of logic that is founded on a faulty premise - that ISP's today don't ingress filter - and you have just frankly gone off on it so far that I just can't do anything other than shrug and let you disappear into the distance. >> >> Surprising you would drag up a Ciscoism as >> your such a big fan of BSD-based routers. >> >> >or bit-balancing with a product like ETs for >> >FreeBSD. Unless your 2 isps are connected >> >substantially differently (say if one is in >> >Europe and one in the US), you'll do better >> >keeping your pipes balanced, as YOU are the >> >bottleneck, not the upstream, assuming you >> have >> >quality upstream providers. >> > >> >> Sometimes you run into someone who is so >> ignorant >> of the subject of which he is trying to speak, >> - routing in this case - that you can't even >> argue with the person. Kind of like trying to >> explain the concept of the fossil record to a >> creationist. This is one of these times. > >Yes Ted. People run into you, the ultimate >ignoramous. I have 3000 ISP customers. This is >not just theory; its being done. You are wrong >about every single thing you said in this thread. > Sigh. Danial, please, don't make yourself look any more foolish than you already have. It's painful. Even if your too stupid to ingress filter those 3000 hypothetical customers, those customers aren't going to waste the bandwidth that your charging them for, by sending you traffic that doesen't originate from their IP addresses. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNOEBNFDAA.tedm>