North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP to doom us all

  • From: Jack Bates
  • Date: Mon Mar 03 07:56:20 2003

From: "Avi Freedman"

>
> "Router CPUs average 50%, and S-BG adds 10%" (paraphrase)
> Average is somewhat less relevant than common peaks.
> GSRs and 7500s and 7200s all get up there at 90+% on the real Internet.
>
I agree. I'm have a tricked 7200 managing 3 peers. Normal traffic
utilization rate is 30% cpu usage. The BGP scan kicks 90%+ cpu. During DDOS
attacks, the hardest part to stabilizing the system is CPU resource
management and in particular BGP stability. Often, one peer has to be shut
down to maintain stability on the other two. At that point, work can
continue to track and block the DDOS. Then all peers can be brought up, but
depending on the severity of the attack, cpu can still be cranking 90-96%,
but at least stable traffic. Changes to how we do BGP have effects beyond
just BGP routing. It also effects other routing and network issues.

> And with the assumption that people will be willing to front their big
> iron with offboard routing CPU boxes.
>
Offload routing? To where? A server running an OS that can't run 1/2 the
life of my router without a reboot? To a port adapter that my router doesn't
have room for? Or do I need to call Cisco and say, "Congrats! You finally
get to sell me that $140,000 7500 series router I previously couldn't afford
and didn't quite need yet." Here's the kicker. I couldn't inject a route
that wasn't mine into any of my peers without calling them first and asking
permission. My network doesn't gain anything, but I lose alot.

> I just don't see these things happening.  And even if they could/would,
> I think S-BGP needs more paranoid simulation/attack/analysis before it
> in particular could be the grand fix.
>
I agree. Deployment would also be long in coming. I may run an all Cisco
network, but I don't run any code past 12.0, and when possible, GD releases
only. From deployment of the finalized protocol, I'd expect a 3-5 year wait
(probably longer) before the protocol reaches a Cisco GD maturity level.

-Jack