FreeBSD router two DSL connections

[Ted Mittelstaedt]

>-----Original Message-----
>From: Danial Thom [mailto:danial_thom at yahoo.com]
>Sent: Friday, December 23, 2005 3:47 PM
>To: Ted Mittelstaedt; Loren M. Lang
>Cc: Yance Kowara; freebsd-questions at freebsd.org
>Subject: RE: FreeBSD router two DSL connections
>
>
>Ted the incompetent, wrong on all counts once
>again:
>
>
>--- Ted Mittelstaedt <tedm at toybox.placo.com>
>wrote:
>
>> 
>> 
>> >-----Original Message-----
>> >From: Danial Thom
>> [mailto:danial_thom at yahoo.com]
>> >Sent: Wednesday, December 21, 2005 9:56 AM
>> >To: Loren M. Lang; Ted Mittelstaedt
>> >Cc: Yance Kowara;
>> freebsd-questions at freebsd.org
>> >Subject: Re: FreeBSD router two DSL
>> connections
>> >
>> >
>> >All upstream ISPs are
>> >connected to everyone on the internet, so it
>> >doesn't matter which you send your packets to
>> >(the entire point of a "connectionless"
>> network.
>> >They both can forward your traffic to wherever
>> >its going.
>> 
>> They aren't going to forward your traffic
>> unless
>> it's sourced by an IP number they assign.  To
>> do otherwise means they would permit you to
>> spoof IP
>> numbers.  And while it's possible some very
>> small
>> ISP's run by idiots that don't know any better
>> might
>> still permit this, their feeds certainly will
>> not.
>
>Yes they will.

I assure you they will not.

>Routers route based on dest
>address only. Are you somehow suggesting that an
>ISP can't be dual homed and use only one link if
>one goes down, since some of the addresses sent
>up the remaining pipe wouldn't have source
>addresses assigned by that upstream provider?

ISP's that are dual-homed have to register their
subnets with both providers.

For example, suppose I'm a small ISP and I go get a
Sprint connection and get assigned a range of
11 IP subnets, 192.168.1.0 - 192.168.10.0

These are Sprint-owned IP addresses of course.  As
I source traffic from 192.168.1.x, Sprint recognizes
it as valid traffic and allows it to pass Sprint's 
ingress filter to me.

Now I get a bit bigger and decide I need a redundant
connection.  So I contact ARIN and buy an AS number,
then contact ATT and get a connection to them, then
setup BGP between myself and ATT & Sprint.

When ATT and I are setting up BGP, ATT's techs will
ask me what subnets I'm advertising, I tell them
192.168.1.0 - 192.168.10.0  ATT then checks with
ARIN's whois server to make sure Sprint has entered
a record for that list of subnets that says I'm
authorized to use them.  If all that checks out OK
then ATT adjusts their ingress filters so I can
source traffic to them from those subnets. 

Now I get even bigger and need more IP's than what
Sprint will provide, so I go to ARIN and buy them.
Then all my feeds have to adjust their ingress filters
to the new subnet.

Now I get even more bigger and I start trying to setup
peering relationships with other networks, so I
don't have to pay them directly.  Well now guess what,
those networks are now monitoring the traffic volume
I'm sending them, because they don't want me to use
and abuse them and give them little peering in return.
So I now have an enormous financial incentive to make
sure that any traffic coming from any of my end users
is in fact valid traffic, so you better believe I'm
going to enforce that with ingress filters to my
downstream customers.

Anyway, this is all academic because the wrongly-sourced
packet won't even get into my network to be forwarded
and blocked by ATT or Sprint, or my peer routers, in the
first place.  Why? Because every wrongly-sourced packet
I allow a customer to send to me, can potentially displace
a correct packet from a customer, making their traffic slower
and setting up potential for complaints.

The ONLY Internet routers that don't igress filter today are
transit routers run by transit ASs, and no network that
is worth anything allows direct connections to those
routers to their end-user customers.  There is just too much
potential for abuse, and even more potential for being
blackholed as a rogue network by the rest of the Internet.

Everybody today that knows anything
about what they are doing, applies ingress filters, or
they require their downstreams to ingress filter.  In fact I'd
say this is one of the reasons Cisco was disloged
as the core router vendor by Juniper, because of the need
for enough CPU in routers closer and closer to the core
to be able to run access lists.

Chances today that a cable line or a DSL line going to an
end user could get a packet with a non-network source
very far in to the Internet are zilch.

One of the largest sources of bogus source IP numbers in
fact are those cheap-as-shit DSL/Cable routers, as some
of those models will ARP both their legal WAN IP address,
and the LAN IP addresses, on their WAN port.  All of the
ActionTec routers do this in bridged mode, for example,
and Qwest has thousands of them deployed.  And the second
largest source are infected PC's
that have DDoS trojans on them, which some mothership
has programmed to try to DDoS some poor bugger, with
bougs sources.

> You
>are beyond clueless, Ted. Why do you keep opening
>your mouth?
>
>> 
>> >For efficiencies sake, you may argue
>> >that sending to the ISP that sent you the
>> traffic
>> >will be a "better path", but if one of your
>> pipes
>> >is saturated and the other running at 20% 
>> 
>> letsseenow, these are full duplex 'pipes', can
>> we have some direction this saturation is
>> taking
>> place in?  I mean, since you are at least
>> trying to
>> make a senseless explanation sound right, you
>> might
>> as well try a bit harder.
>
>Its not senseless, you just don't understand how
>the internet works, apparently. I do this for a
>living, and you just yap.
>

I pity your customers, frankly, since you aren't even
familiar with basic anti-spoofing practices.

If you really and truly do this for a living then
almost certainly you do nothing with Internet routing
and all your work is in corporate WANS.  If that
is the case then I pity your customers even more
because any bozo on their network that gets a 
DDoS robot on it can take down their WAN.

>If you were able to "send back" the data on the
>"pipe it arrived on" then you would have uneven
>use of the "pipes". So one could be saturation
>the the other highly unused.

That is correct, and that is in fact what happens
and it is precisely why this rediculous attempt
to "load balance" as you call it, does not work
in real life.

>Balancing the
>outgoing data would reduce the latency that
>occurs when a "pipe" is saturated. Its hard to
>explain calculus to some who can't add or
>subtract ted, so you should figure out how
>routing works before you try something this
>complicated.
>

It's hard to explain calculations when you don't
know what they are.

>> 
>> >then
>> >its likely more efficient to keep your pipes
>> >filled and send to "either" isp. You can
>> achieve
>> >this with per-packet load-balancing with
>> ciscos,
>> 
>> per packet load balancing is for parallel links
>> between 2 endpoints.  Not three, as in you,
>> your first ISP, and your second ISP.
>
>Wrong again, Ted. Usually thats how it is used to
>gain extra throughput, but thats not the only
>thing that it can be used for. Since the internet
>is connectionless (back to school for you Ted),
>per packet balancing can utilize 2 outgoing pipes
>to different ISPs as well. Obviously since
>failover on dual-homed network works, you can
>send your packets to any ISP you want. Routers
>route based on destination address, as anyone who
>knows how routers work knows. You can even use
>per packet load balancing on 2 lines to the same
>ISP when the other end doesn't support it; using
>2 pipes in one direction and only one in the
>other. You can be innovative when you actually
>understand how things work, Ted.
>

Danial, this is really beyond humorous, I just
think it's plain sad that you are so far out in
left field.

You have constructed a very long line of logic that
is founded on a faulty premise - that ISP's today
don't ingress filter - and you have just frankly
gone off on it so far that I just can't do anything
other than shrug and let you disappear into the
distance.

>> 
>> Surprising you would drag up a Ciscoism as
>> your such a big fan of BSD-based routers.
>> 
>> >or bit-balancing with a product like ETs for
>> >FreeBSD. Unless your 2 isps are connected
>> >substantially differently (say if one is in
>> >Europe and one in the US),  you'll do better
>> >keeping your pipes balanced, as YOU are the
>> >bottleneck, not the upstream, assuming you
>> have
>> >quality upstream providers.
>> >
>> 
>> Sometimes you run into someone who is so
>> ignorant
>> of the subject of which he is trying to speak,
>>  - routing in this case - that you can't even
>> argue with the person.  Kind of like trying to
>> explain the concept of the fossil record to a
>> creationist.  This is one of these times.
>
>Yes Ted. People run into you, the ultimate
>ignoramous. I have 3000 ISP customers. This is
>not just theory; its being done. You are wrong
>about every single thing you said in this thread.
>

Sigh.  Danial, please, don't make yourself look
any more foolish than you already have.  It's
painful.  Even if your too stupid to ingress filter
those 3000 hypothetical customers, those customers
aren't going to waste the bandwidth that your charging
them for, by sending you traffic that doesen't originate
from their IP addresses.


Ted