Randy's Work Blog

I was easily able to run two 7200s on my MacBook Pro, though it is fairly beefy for a laptop, having 8G RAM etc. It turns out that the Dynagen needs to be told to use RAM as opposed to disk, e.g.
mmap = false

The two routers could easily run IS-IS and BGP between them.

One can configure just about any kind of interface, so one can emulate a real configuration.

It is easy to connect to the outside world, just do something in the family of
[[ROUTER R1]]
f0/0 = NIO_gen_eth:en0
(any interface will do), and then configure the specified interface on the router for a real IP on your local LAN and it just bridges out. Note that this did not seem to work when my Mac was on WiFi, only on Ethernet. I suspect it has something to do with the MacOS X’s WiFi, the dreaded proxy ARP, and bridging. But I really did not take the time to debug it. I imagine hard-wired Ethernet will still be around for a year or two.

This allowed me to trivially multi-hop BGP peer with one of my real routers, r0.sea, the 7200 in the Westin. But, if I configured R1 as a 7200 with an NPE-400 and 512MB of RAM, it would crash before it loaded a full feed. If I configured it as an NPE-G2, G1 is not available, the configuration would not come up in Dynagen, and crashed out. While I am not sure I need a full feed to my MacBook :), it would be nice for certain things.

All in all, this looks like a cool tool, and I plan to keep it around.

Coming to a JSAC near you in a few months.

Evolution of Internet Address Space Deaggregation: Myths and Reality, Luca Cittadini, Wolfgang Mu?hlbauer, Steve Uhlig Randy Bush, Pierre Franc?ois, Olaf Maennel

Thanks to pfs, I am using Dynamips/Dynagen to have multiple virtual Ciscos on my MacBookPro.

Dynagen Web Site

Kit for MacOS X

It is not that I believe strongly in this approach. But it sure is simpler than many others.

Anja Feldmann, Luca Cittadini, Wolfgang Mühlbauer, Randy Bush, Olaf Maennel, HAIR: Hierarchical Architecture for Internet Routing, in Proceedings of Workshop on Rearchitecting the Internet, December 2009.

R Bush, O Maennel, M Roughan, S Uhlig Internet Optometry: Assessing the Broken Glasses in Internet Reachability, ACM SIGCOMM Internet Measurement Conference, November 2009. [in Japanese]

A co-worker pointed out that I have been lax in keeping this site updated. So …

Bellovin, S.M.; Bush, R. Configuration Management and Security, IEEE Journal on Selected Areas in Communications, Volume 27, Issue 3, April 2009 Page(s):268 – 274

As promised in my post almost two weeks ago, Olaf Maennel, Steve Bellovin, Luca Cittadini, and I have come up with a proposal which we believe to be preferable to Carrier Grade NAT (CGN). We have written it up as a tech report for small circulation at the moment, see here for pdf.

In the decade or longer transition to IPv6, NAT is inescapable.  This is a direct consequence of the design of a new protocol which is 100% incompatible on the wire, there is not the slightest compatibility mode.

We may not like this, and I certainly do not, but NATs are inevitable, get over it.

Alain Durand (Comcast) and Miyakawa Shin (NTT) have a common problem.  They say that their networks’ customer edges are so large that, even giving each CPE a small bit of IPv4 space for the ‘front’ of a NAT, they need two to five /8s of IPv4 space.  They are in a terrible trade-off space.  They either request many public IPv4 /8s from the internet registries (not likely with the exhaustion of the IPv4 IANA free pool on the horizon) or do something more complex.

The approach they are testing is being called Carrier Class NAT.  It is essentially one or more IPv4 NATs in the core of their networks and various tunneling and translation techniques.  If the CPE has dual stack, traffic where source and destination is IPv6 would not have to me NATted.

We can contrast this to, for example, NAT-PT on the CPE, which would probably scale to the needs of even a large non-consumer backbone.  But, as we noted above, Alain and Shin would need way too much IPv4 space just to front the NAT-PT front ends for their large consumer networks.

I and a few other researchers have taken up a desperate search for alternatives.  The reasons are simple.

‘Carrier class’ is a euphemism for centralized.  More semantics move to the core of the network.  This is bad in and of itself.  Net-heads call it ‘telco-think’ because it is the telco model of smarts in the core as opposed to the internet model of a simple, just forward packets, core and smart edges.

With the smarts at the edges, e.g. NAT-PT, I can easily field new protocols between consenting end-points by just tweaking the NATs at the consenting CPEs, even adding ALGs if needed.

With NAT in the core, then if a customer wants to field a new application protocol which requires cooperation from the NAT, they get to beg help from Comcast and NTT and all other users of carrier class NATs.  This is the ultimate horror the NAT-haters fear, and they are not all that wrong.

You don’t build an internet walled garden at the edges, you build it by restricting the core.  Comcast has recently received a lot of bad press for just this, though I know that Alain is very far from the those responsible.  But be assured that the developer/deployer of new applications will be talking to Comcast’s walled garden loving lawyers not Alain.

It means that all new application protocols have to go through the carrier lawyers to be allowed to be handled by the NATs in their core.  So, if someone wants to deploy a new application, they can talk to Comcast’s and NTT’s lawyers or do it over HTTP, pick your poison.

And remember that, as IPv6 deploys, and we want to have one internet, i.e. IPv4 nodes talking freely with IPv6 nodes, then translation must be done somewhere.  The challenge is whether someone can figure out a scheme where it is done for these large networks at the customer edge, not in the core.

While Olaf and I were looking for other things, we stumbled on a revealing sub-experimental result.

• We announced a /25 prefix via BGP from our research routers at the Westin in Seattle
• Sprint did not listen to it
• Verio/NTT did, and said they propagated to their customers but not their peers
• We looked at BGP feeds from RouteViews, RIS, and 700+ other BGP feeds
• BGP data said the /25 reached 15 ASs
• From a prefix in the source /25, we probed IP addresses in over 20,000 ASs
• 1023 ASs replied
• I.e. RV et alia showed a shockingly small fraction of the real AS topology, less than 1.5%

Interestingly, the AS path length shown in the 15 ASs visible in BGP was 3, while pingability and the BGP path length for a /20 was the normal >4. See the diagram.