Merken

Using routing domains / routing tables in a production network

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
joint conference so far my name is Peter has aligned with the NBC projects and in my day life I am also a network administrator system administrator for a main server hosting company and so all the talking to you about the interest resources and
start about using writing running tables in a production network on this started several years ago and when I was working for a company with right fielder another of Mr. Developer and uh we would need to solve some problems for that customers had and we did the development of this and then I was 1 who was going to the customer and and implementing it with them and doing the support role and doing more documentation for it so I'm going to talk to you about some of the some of the lessons I learned and how you can set your own own running the burning names of networks so
1st of all it has some definitions and there's 2 aspects there's routing tables comical are tables and writing domains these are different but very related things on 1st is the routing tables so in in the traditional Unix system in your traditional router you have a single routing table that contains all the roots of all the network routers that you know about how to connect to it and so most and have 1 and only 1 available on open with routing tables you're allowed to have multiple routing tables and these are utilizing the same interfaces so your firewall has 4 Intel Gigabit cards so European 0 1 2 3 and you're able to send a traffic over all 3 of them as necessary but the IP addresses in the routing tables cannot overlap and you have to assign them and they have to be globally unique you can have a different path to get to the debt and destination however on multiple routing tables can belong to a single routing domain and in the next level into water running to me is so this is the most commonly used for what policy-based routing and the most common example would be you have an office with 2 links to the internet you have a DSL link and your cable modem make the DSL link is very low latency so it's very quick but it's low bandwidth so you so you want to uh has a large Tamil will take a long time but each packet set very quickly on the cable modem it will be a and in the very high bandwidth but also very high latency so each individual packet will take a long time to transmit across but you can get really high data rates so if you're just downloading and update or a web page or whatever the most attractive over the cable modem but for your voice over IP phone to each of the the audio packets is very small but means the center very quickly and reliably to the side otherwise you get the weird delays and possibly echoes and people over or talking each other so you use an alternate so you use the main routing table to send both the data over the cable modem and then you simply mark the the voice over IP traffic to go over the top the regular uh DSL link so it's much faster so it writing domain With this is this is a completely independent routing table there in different instances in inside the kernel this allows you to have as they say in my example is like the the 10 10 0 0 network you the assigned multiple times and you can have completely independent networks available for this on the interface however Crowley assigned to 1 writing doing at a time because when a packet comes in how else would you know where to where to rout and how to handle it which brought domain is for on a running the main always contains at least 1 routing table for most people they're going do of policy-based routing only and 1 running the main put so most of people do 1 or the other it's not common to make this in in the production environment the history of the 1st edition of running the means and of the 4 . 6 in October 2009 originally was like this spiking for only some IP 6 support was finally added in the last year in 2014 and the main reason it took that long was my fault because I just laughed often from doing the work and let let the patch wrought for about a year some and alliances few more definitions of via a flight are what's commonly known in the networking world these were originally Cisco uh definitions that juniper in the other larger naughty vendors have started using so via flight is simply multiple running from all and the main star and this is generally done by hand on a single system and is designed for more of a smaller smaller entity so that's only that has will have 1 or 2 routers that need to do a lot of different customer interconnects into the system year f is also known and POS and this gets a lot larger this is interaction between BGP and build the only PD and usually requires larger networks and if you were in a race top raise talked earlier about obesity and virtual which relation networks you talk about overlay networks that underlie networks on and PLS is often used as an overlay network on top of someone else's underlying network and so a common example would
be if you are a new a large large regional or even national high-speed you have all of your routers at different points of presence within the within a country the customs collectors this and then these out your traffic over on top of possibly someone else's network so that way I is still say something you were control but you have to all the physical links between you know the the Atlantic and Pacific oceans but when setting up writing domain of so a role in networking is that you must have a right 2 and then destination and if you don't have a out then the packages is lost and users dropped for for small organization you'll have a default router going to your your main gateway going out to the Internet for a a medium enterprise you can you can have a BGP feed out and you get a full BGP the that's effectively but the 4 arm but when you're doing running domains very common mistake that is done is to not include is to forget to create a default within that writing the name on use the when the packet arrives from the uh that arise from the network we do a check due we may have any sort of valid route for this packet to be sent to you that check extremely early on even before PF inspects the packet if we don't have a router we drop the packet of for for performance reasons now a very common use of writing domains this to the pact and then use PS to steal the packet from that main use but onto another writing domain and in this case that will fail so what you really wanna do is set up 84 out in the running the main as soon as you created I'm in my experience I would say about 60 per cent or more of all problems seen in networks were simply forgetting to create before works in the training a valid route for the destination system so simply just set up of the 4 out and you will of what a lot of problems on the history justice in the people early years of the world where we know use yeah so the question is is is that so on on the the real network side you have a full full feed of BGP and there's no real default from running the main should I create before out anyways but the answer is while you don't strictly need to all you have to do is create a year out that exists for all of the destination networks you can just do that but it's extremely common to forget started it is extremely common to not pickles attention and so especially doing this by hand and in a fear of like situation we're not doing BGP routers across networks that is what I'm writing is for but if you were it so that their flight is by definition without spending right in in the domains in the running to me how to now my examples I'm using a default like which is perfectly legal and that actually allows the pads come in the process of IPF and moved to where response to go I'm all get into a bit more of an example later of a situations where I am doing just simply a very closed off link for the customer for customer number and then from there to be there but the forerunner for them and from there into a different domain so from there but it's all it's basically such 24 within the side just what you just said you have know all of the home and yes there is there so there is a differ so what the check is is is there any type of out that exists for this packet is it is it is there is it is equal to the implementation yes that is correct so but this is a an optimization for performance that was done but it's it was on a while ago it may be worthwhile for Stewart to reinvestigate this decision however in the current shipping code it is what it's of correct the the default the default router anything that so if you in obesity supports are objects and then you give it a destination address is you rot get any and shows
you anything that is not
simply a by the return any value than that accepted the real which next-hop should be selected is done in later years ago of the you know that a lot in my in my examples of using later it's the default router is a black hole to local host so that is exactly as we are out entry that is valid for this destination view they can be completely bogus and usually it's and what you can also do is you can simply create only for the decision networks they're allowed to talk to as well I so just as long as it's it's something valid for the destination that's all that matters Seattle the and again my experience it's when you're Critias all by hand in your in your managing this without any sort of dynamic in writing it's very very confusing of which writing table which running the main where or the rods pointing sensors is much simpler just add a simple default on whether it whether it's a regular for that makes sense for network or just something bogus that were used black hole everything either either options particularly religion you can use this for all of the law and I that were thing with different responsibilities and you so know you can read it in the stack the right so of the right so that that part is the that it this is way before he even touches peer is an extremely early on in in the whole flow in the whole pack fluid and so but it's a more more examples and show that a little bit more later on so yes so on so this can be very confusing and it's which writing domain is the packet in any given time that determines how the granted and it is important to consists to keep that in mind and so for a lot of people they're not used to using a system with more than 1 writing table that's it that's installed in available on and and for a lot of users who are not familiar with this is a very easy thing to forget about because they'll just look at the cigarette the mogul but I have why my packet going out this way in different writing the name and so you need to look at the right to making on and and and make sure that your tools are using to check and verify our utilizing the correct writing them and so on and so it is very common become situation is that you can have completely independent networks going through the same router and I'll come in and Ottoman and or go out on a different interface in the same model name but would you wanna move it to a completely different from domain for and for for whatever reason and in that case you use PF and all the all show example that uh the later so right now we're just going to show you how to set up a very basic example but in this case we're taking the interface in 0 and 1 and then declares that part of our 1 on by default will miss the every single interfaces in order mean 0 from the results of this 1st is because when you change face writing the main then what you do is this a still a valid the IP address for this system is this the the configuration that should be and so you know when you the when you set the writing the main it will erase all the existing configuration on the interface remove all IP addresses from so always 1st and then you set the the annotators there but it is generally recommended that you want creates a a local host of a local psyche within the this the correct thing remain but in this instance and you see that I have set up a default going to a gateway system depends on the 1 and then here I'm running I am executing the SSH the Damon is being started in the running the main 1 which is defined here with dashed capital T. with that allows you to do is you can start your day and any arbitrary application with a specific writing domains so all incoming connections they can receive connections from the domain and all this album traffic sent over the Internet and so this can be used to set up for example 18 management network that is not accessible from the regular part of your network and so this is the output of a scene from it and you can see right here this declares that were word 1 everything else looks the same he again here and mean 1 everything else looks the same as you would normally see and here we take a look at the and the next that output to see the routing table again the sets of minus capital t 1 set to declare which remain you want to look at and then this is the standard output of this you can easily easily look at it and understand it as you would normally look at it from from administrative perspective and then this is an example of some PF rules that you can they can use the 1st rule here is any traffic becomes in being centers like a address we want to move it to the writing table number 2 in this case it would generally be part of running the mean number 2 and this is how you would move traffic from 1 writing domain to another 1 in this case is not doing any industry rewriting so from the destination source at these would need to be unique and both sides otherwise the systems with a little bit confused but not not the problem is the site itself because it understands what the the which destination it is but once it leaves open the is the it goes into just a regular network and so the network itself we have no knowledge of which I mean this is all other yes PF creates the all the correct us the full rules so you don't need to do any crazy tricks for the return traffic gets a script I here you're able to anchor and you can say that everything within Sankar applies for any packet involving writing the mean number 15 and then used to your standard Central set and you don't need to worry about our doing you received on this interface or whatever it is all this block only applies that running main and here is this is slightly more complex example past and that was just seems on this running the main point do a redirect to those levels for generally the loopback address and send it to run in Table 2 arbitrary differentiable for as just steal the trafficking moves
over the same thing on the last rule clean on that that so as I mentioned we have a we ran in production and as we're running production we saw a lot of interesting result 1 interesting things the 1st 1 is the the right exec originally as this was designed was it was simply a tool control tool for us to help work on the development of this so we can add the so we can later on added support to a lot of the utilities do we discovered this was and this is a useful tool that we can just use and and should be made a generic options available but there was a short period time we we made a push to add a very specific writing the main support into all of the tools that had any sort of access to the network like for example adding army supported natively within stage or within within your various other tools and we later realizes much much better for us to add it simply within this right exact command and use that as a tool to go forward a set of trying data for every single every single day man or tool or whatever armor so we decided that only the specific never told that have to know about learning domains with the thing that sets for checks are out has native support but everything else you really should be using right exactly 2 cool that is a yes so that is a different thing but that was because it was much easier to deal with the with the other process for oxygen and that is something that we definitely to expand on death the of this for across the world so in that case where I've actually done usually is run multiple always PFT instances tank each 1 inside their on our own are running the main 1 of things I always PF because it it looks at all the interfaces you're going that you simply just keep this with that it's not supposed to anything crossed it those PFT should not do any any cross running the main stuff being BP can crop can cross upon yes but the GP is also used for a full full and less so it definitely has to know about the CIA had done exactly on the right side of the mentioned earlier on you add a writing to interface it the IP address configuration on the interface and we we look at that as a way to to avoid a people leaking out information from the network because on underwriting network just because you have 10 0 0 1 doesn't mean that in this that has the same meaning within all of your writing demands it may it may not be so the 1st in the z race the editors configuration on however the interface running the main is independent for the physical interface and any virtual every sitting on top of it so you can have the physical Phase III and 0 in and around the main didn't have the truck sitting on top of that the different domains can have the lands sitting on top of the trunk in a completely different running have multiple the lands all in their own right domains and there's no issues at all with this each of these are real full full-featured 1st class citizen interfaces so there's no issues mixing so you're able to do you had attending that link into the switch you have all your view coming in each view and is something move marked on a different name and they just process as normal I'm cop is a little bit of a special case because copies half of interface because the design of a so cop cop using the same interface is the parents but as the only restriction because of how the hell copy here's another sister here in the you can who had not tried that I am not sure I believe there should be no behind I believe there should be no difference in the but I have not specifically try that that's that's an interesting I think I'll try their hand it back to the office yes it is the Forest Service may lead to the use of the and in the way that the world is the cost of the last thing you want to do is right and what is that the death of each of the also the question is is how to what was the proper canonical way to define where when and where a demon is being started which are the main thing started in at at boot August when you just running as a program yesterday is twofold death so the answer is but the a command that you want with them and you want inside article but there is not any support with what account to enforce for specific classes for a specific user and unfortunately there's a lot of very ugly problems to try and solve putting into DRC . the subsystems that have not been solved yet and so because as example so like 20 duos PFT trying to start this it's how do you define this very standardized naming for the configuration files is stabilized aiming for the the the control socket that you'd use all clear the CTL talk to it and that there is not a well-defined mechanism for this thing this near the body subsystem so you need to specify that on both the kids bound on either the command line or in the configuration files for this we also think you that this not last year or 2 years there's a lot about of foreign names and this career because of but that only works if you wanna sir once ah yes OK sorry the the there's there's 2 parts of this answer so if you wanna start the the being in 1 instance 1 of them to a different running the main that yes you would start with the if it had I believe you're not able to specify a prefix command 4 in the nearest to the substance of the cannot prefix it was started with writings that if it if the tool does have native support inside a configuration file
or as an option then yes you
can do that in your seat and instances so let's copy unit and here's the idea was to not necessarily that we would get you to yes OK yes you you you can simply just copy that the it over from that would work but I mean it's ugly and I'm not sure I would call that a it's not part of the framework is not strictly but you have to do more than simply is an article the local and so that so anything with an article focal would or with the RCC TL commands that would be definitely within the framework I suppose that this point is kind of you know for how you define things but yes you actually could copy the RC study scripts that that so starts up and or you can just do what I have done has been to just put into our still local and specified as necessary or it was something that was going to the to the user the the name for the unit that we use this as a mechanism for the yes but the question is is is the guarantee that the traffic from 1 2 domain will not move to another in yes but also from the reasoning for this yes that is there is a strong guarantee is provided on so the right mean is stored both in the process and within the and within that the routing table that's using and so they 80 process in running 0 can move to different however a process that is in writing in any other unnamed cannot move outside at writing them in that group privileges so it is running as roots then yes it can move away but if you're worried about about the quality of software and charges commented that cart by trying to skip this sort of thing then you should be running is rich so that's a very clear answer and up yes within the running cable within the the main they cannot escape from the rotten domain you are allowed to tag the traffic and move it over with PF that is a administrators and you've made and you have to load in the rule set included rules that is root and again if you game over so yes on by I have used in the past especially for a management domain and so you can you hop in with you with this h from the outside not into machine or you can say it out to another machine to another management network so it's much much more difficult for traffic to actually go into that destination or or to cross that boundary likely for all the time because and all of this is a useful feature of the singularity of Europe was found the you have to decide what to expect from the from the it was the 1st to use on the back of people yes is is the correct answer is worth it all right so that is precisely what this this pit configuration does yes that is correct you have to appear the use of the classification of parts to move across the different domains of the isolation is guaranteed and is wired within the system and you were unable to escape it without using and so the outside of system so like it is the traffic out and go through switch and comes back in then they can then it's now on the running the name that was received on or you can utilize P. to do this so we here to here and here we have a whole at 1 of the know the in the in the long-running is put into whatever right the names the interface is on and once you receive it then you can move it so in this example there is no in or out directions yes that's correct that's that's with this rule you adjust ad proteins 40 and that's exactly what it would be this would send all traffic in yes you you use all the yes that is that so in this role we pass traffic in any direction in or out from any IP address to this idea to specify 10 . 4 0 0 4 and then we see that we move it to routing table number 2 in this case right number 2 is defined within
a bottoming number 2 and so this would move all the traffic from everywhere there's been received into a single and because it's it's on writing the main any this is the this is kind of the the subpart is not not printed there so that's what the the 1st rule on the the top rule is doing and so uses for like you like a web server monitoring system and more of error backup system or anything else you want to to be widely accessible to all all of your system and of course if you want to do it you want to receive traffic from multiple running domains and move them all to the same 1 then you need some way to guarantee that there is the destination router is sent to you from all of those writing the names and this decision P addresses and you just look at you from all the running domains and go into an example little bit later about how you can deal with this if it's not a unique access so for example if you have a 2nd this case none of the none of the writers on the outside of UK are allowed to use 10 . 4 . 0 . 4 the voice probably delivered that system but if that IP addresses you utilized by someone on 1 of those routers also an example of that later how you can still receive a traffic if they send it to a different destination IP than than what everyone else is right the other thing is that when we we 1st added but the support we only have support for the for 1 running for the new writing main receive traffic so we move to the new writing and this we want to live the problems with the FTP proxy command because FTP proxy needs a set up rules and going in both directions so as you know the old and the new writing domains and what we discovered this the traffic was coming in on and not the default writing the name L was also being sent to not the default running the main so that created some so we had to add support for this in a later step so as I mentioned before the standard rules for running a service in multiple running the names is either do the inbound tracks percentages run it again if you really run and TPD again you at a very interesting problems of I I started up 5 in the PD is interacting domains on my laptop and after about 5 minutes of the wall clock my laptop was known August 30 minutes later I could have retired if I utilize year my laptop with it it went all the craze so you really don't want do that so we did that actually very specific support within and to support writing the names you can specify the um is listening on in a names or for any in any running in and you could run a set that is neat and you need to and you specify the services Boolean in time from in arbitrary relevant as well so in those opera per line options and configuration files so you can have listen on star star on and you can have a server a earning 1 Serbia's running to service 3 is in Ready mean 15 and so that we can pull in that do strange that were tricks that unfortunately don't work in PF because the destination IP address of number 2 also exist as a client in writing remain 35 and so then you could not simply justice classified move around of so then we also after the 1st release with this we discovered we knew we needed the ability to say on a routing then it wouldn't care what interface was on we want to make sure that anything within this writing the main was the only thing that we selected so in the original release this command was not possible when this command was really what we wanted and disconnect in order to support this command it instead of just doing the very simple 3 rules it was of about 4 pages of rules that we had creates on machine and was very error prone very easy to mess up because just because single typo in my you you press for certified in in in 1 line and suddenly trusting the everywhere so we we want we we discovered we needed add that support the sound into a bit example of what sort of example network the you can create with fear of flying which is a pure random a network and this is was a very common scenario that I saw in a lot of organizations you have a mention network you have to outbound remains you backups Serbia monitoring so
this was the desire this is the very simple design that i the model on several ones I so you see up at the top the connection to the Internet was using running 20 and not the the foreign main and we have because orange in 2 0 acres a fork from blue into 7 wanting server backup server and different means as well to want to enforce the law is that no 1 can get to them without being extremely specific with inside of the network and in this sort of the service I was requested by some of our customers we're able to convince them that was so lightly overly-complex and in this case the the individual customer networks you deftly what happens in in the writing the names this be a link from your or central collocation hosting provider into their direct network and as you all know that everyone simply runs 1 9 2 1 9 2 1 6 8 0 . 1 as the primary network you wanna make sure that this traffic did not get from orange to blue of the very bad configuration for you and I also made it a little bit overly complex to show you some of the the rules you can create for and so
this is showing for customer pink on these are the configuration values that you just have to use start Army CAD defined in the LAN interface of company before on it doesn't matter at all what truck is set up in there or with the transparent as long as they're valid in some way shape or form on we find that the land that we find the main we give it a group name just so it's easier for us to forward looking at a uh so she's a label that we can use both in the output is configured and that we can utilize this with as well find the Internet of the IP address assigned to the machine but because it's about 1 it's very likely be that the default gateway or gateway of some type for the customer on and then we also created the local host the 1 2 7 address of was not strictly requirements but I find it much easier to think about machines if I creates the if I'm able to somehow encoded the writing the main within the interface name association it is a little cheat sheet that I used to that's that's why I call that will host 2 thousand 204 so and you see here they create the standard a local hosts reject router linear greedy for out but the black hole and the customer only has the single 524 behind it and there's no reason to send any traffic back over there many other before out that I create would either be pathological cases for I descent so that's a machine back across the link and any network packet that I'm not actually stealing and selling across the white sand into another running the main with this ping-pong back and forth and obviously that's a bad thing and this is the EPS can . com that I that I have a customer so you see all the packets that are received honoraria to 100 for only the default block list we passed in all traffic is coming in from the pink customer and we want to accept them and uh not due to much filtering from them I we want pass I cmp in both directions we you know we all like I using Paint results very nice but when it comes to the monetary the monitoring network is a special network it has hooks into all the different self natively and so we this passage into the pink network of so I did a little bit short hand here at the P. Coleman that is the same as the pink color network command I just that so it just on the slide so you see here past passport is key to the backup server for 8 7 3 as the are async port for those you don't have all those point numbers memorize of associated to the as into running the number 6 of the traffic is sent there directly and we are doing an outbound and that rule being sent to echolocators so we've defined for them and so you see
here traffic is comes in from costa pink received onto our firewall here on this in this box is being sent out to the Internet on on road and the number 20 and then
down here we have because what they received on writing 204 we're moving it we have to move outside of this anchor block and so but in this case is just simply i cmp because this is just an and standard pain tests from the monitor and the monitoring system in on any any of the remains to the network and were being were redirecting to remain around the other remain at 204 this is the output of the there were table from as you see it looks fairly standard to what people normally use and this is a black hole or out and because we have a d 4 out any traffic that arrives on this interface but is then it except it passes the 1st check goes on the PS I as we see here that the the traffic has to be moved out Turing table number 20 here on the bottom on the bottom rule if it is a match then we can't steal and if in if we don't if p is does not steal traffic that is simply blocks are simply drop on the floor of the standard classical and then again same thing with custom orange and you notice that use the same IP address for both orange and pink and that is used to illustrate that from each other comes in is there independent from each other and traffic from the paying customer you 1 comes in his firewall the firewall has no roots to the origin network in the within that writing them and so does not to get to it so it's not possible for to escape move over although because you should keep in mind and make sure you also don't add writing within the switches between between the customer and the firewall because if this which gets and moves the rout that not in the running and again we see here just the standard and understand output thinkest orange same thing same thing all very very similar to each other time and so as I was discussing use the anchors it's a very nice way to to segment the the rule system each other anchors with PF allow you to do of you load up your own rules into the anchor from a programmer from Apia sockets you can also simply as I described just add your own rules are directly and it works is the end statement so you say it's everything on this running the main for everything on which from this network or for whatever arbitrary thing you want you in half say he's a mechanic other than that and I mentioned earlier those 3 lines from my 1st slide from 1st flight showing the anchoring on automated feature was able neural to reduce the 3 lines that is being about 60 or 70 with fairly intense commenting and try and descriptions of what was happening with the network but we also need to keep in mind of how the running how trying to cross remains work because the writing named itself only exist within this single firewall system and developed via a flight situation it's only on that 1 machine and does not exist on any other machine they have no knowledge of this outside of the internal kernel structure yes ah yes to the question is is doesn't kill us use running the names to their considered as iterations yes absolutely that is a core feature of MP lessons that very bright
yes in in our imperialist yes absolutely i and here I'm showing the the diagram again so after all the all the slides
of of what the each an output
CSO traffic from cosmic orange comes in as interim domain and has to be moved or status in the writing main does not get moved forward
right so how should he had his and so this had this is a special thing just for the monitoring and we see
here that we have the modern service and running 1 and so any
traffic received on on the running mean number 1 so in this case is traffic received from the monitoring network of reading some examples in the shows you how to have the different destination IP addresses because as we saw all 3 the customers are using the same address range and while and as you know I get a disease of people looking when we're concerned about this and unfortunate reality you don't always have full control over the entire path and what this allows you to do is we declare that were really take this 1 9 8 19 2 4 7 and declare this as this is the destination for all the the appears that exists within a running Table 204 which query which when they are that would be in pink
so all of pink has a different set of IP addresses and musical track here with that mask so we can use run right 1 rule that covers the entire the entire and their work range and because such for the last author also to be copied from 1 address to the other states have a one-to-one mapping so it's much easier for you to think about and to to create the the rules to use rules or did she told were correct yes yes you can you can use so that this rule can then I can use exactly t to do a one-to-one mapping between any arbitrary size of netmask provided you actually have that space so the yes so if you have to slash and you want to that 1 to 1 and you don't want to give them back to I or are in which you probably should do a least 1 them and that the and so this is an example to show you how you can deal with a sort of complexity of how do you get get through across when you have comforting addressing and again we want the monetary system degree backup system and we are very happy for monitoring to do anything they want in the back of system because you get to the monitoring even this a lot of congeneric anyways yes so long as as the vector of the people use to 1 we get so the thing is yes exactly that's that's exactly what this this is that demonstrating and you can use any arbitrary she wants arm I recommend something you control on a network but yeah you can use that pick anything in it just goes on a redirects for natural or whichever the method that you want to use that makes sense for them yes have all of the results like that agrees to make the is a here in this way we can use this program in 1 of the 1st things that were used for the year of the related perhaps more light on the part of all the however most of you can do that a couple other ways 1 way is to force go out from 1 network to go through in even like like independent device goes up when no work goes through device comes in and another in interface and the messages that you can do it redirect rule to like on a local socket and the local hosts port that it's received on there and then you have the you know the the outbound part of that and these take that traffic and move it out you can use tags that the user correlation with NPs have the porch source or whatever information there and there are there is a there are several options for that is available if you were writing the program yourself you can actually find that within the program and you would need to get right axis that P of socket which use requires root access and so you can have in privilege separated them you can have a root process that only can only sets up the rules that you need of FTP proxy is is a program doing exactly that so you can simply be take that the FTP proxy so plicity protocol and add your own content whatever whatever they you need to do with it from there this right you know how much time the user I know what you catch the sum of all the so uh all of the theory that I thought I had a great in the beginning users different parties yes and I'm going to cross over the in the near infrared because of the laws of nature and when they are made from there to the people around you see even more in line with the rest of the triangle and the quality of the bridge which were correct yes yes so now we're told that all you know and what is you use your work on so I remember that pattern I'll I like the concept of that I think the so what for those of you could hear from the audio the right was describing that there was a patch that was not committed that allowed you to do a
interface to interface connection that would cross running the names in a nice way for the year 2 0 with or without having to go through the the network at north and go through the year 3 and requiring for that but I think this source support is is important and maybe it doesn't need to be its own device may be breed should should learn how to do this not behind it here we you of of these which flea I think would be that the best solution for that 1 but yeah as as as as right mentioned that we do not yet have a which with and we use these so that would be the power of the temperature of the others to be a nice thing to have but hasn't done that they would like to write this up please talk to the staff director of the patterns are always always welcome on a the search for I hope I don't know I remember what I meant OK on yeah OK I all talk go very quickly about full thereafter bombs so full thereafter also use of and POS of multi-label Protocol switching is a requires 2 pieces and the first one is a label distribution protocol which we handle in the LBP Dean and that's pass along the and POS labels that are necessary to to build up on your network each hop along has some labels and handle that a small a small of labelled database it works conceptually similar to 0 PF for those who were familiar with the online protocol in this is the status granted does and a lot of the code was was copied the in the implementation of the code was copied from most PFT and heavily modified to handle the 0 speed but the the the LBP protocol around and then in conjunction with that GP is utilized to this you need to the end customer networks over the and we were the LBP network assume that is built up on top of that I am uncertain I don't have the time to talk about that until north and details on Claudio yet I gave terrific presentation at UBC con 2011 all i so I recommend you read that paper that goes to all the great glories details gives a fantastic diet network diagrams that used for testing and all the configurations that you need to get running on I don't know if a video that if there is a recommended if there isn't sorry but and so best practices for setting this up up again as I said D 4 out the 4 out the 4 in my experience it was well over 60 % well over 70 per cent I would say a huge amount of my problems of with this went away as soon as I started doing it before out as soon as I said my 1st IP address with it within the running the main even if it's just a simple reject rout nite due to real routing on top of that later having the value of a destination is the most critical part of this it will it will save a huge amount of time for you on the page and you know what's available within pf the can't PF is is really powerful and has a lot of information has all of a lot of options in it and you can get very complex but the complexity allows you to do it the last thing you can do so you need a deal to to enumerate all of them on and I recommend that you spend extra time when you're planning on your any network involving writing domains or writing tables it's is not as intuitive as a lot of people would think it is and that is a different way of thinking about your networking and for those you who do you run networks already on you probably can remember that when you 1st heard off you spend a lot of time trying understand how the traffic is being sent around and you'll have a slightly shallower learning curve would still be a little bit of learning curve you get used to how this all works and so just simply plan ahead do all that the good diagrams you can and that will help you all a lot later on described above the network you can remind yourself just what just what it was that you truck we're trying to do media something so 1st of the handing it heading Brauer from this the who wrote the original multiple running table support but he did specifically to support the pulsar distracting them at an early coder occur but he wrote he actually did the implementation of the huge amounts of this and he was able translate all the interesting sources good documentation about this and something that I can understand why also dealt with a lot of water my my questions of when working up from early clutter spent a lot of time and effort more on getting this to be available for us on he's able to to get a lot of funding for this being to be taken care of and is able to get this into open b is the view that the assets from some of them so whether any more
questions but then there much
Tabelle <Informatik>
Offene Menge
Videospiel
Domain <Netzwerk>
Datennetz
Systemverwaltung
Biprodukt
Computeranimation
Domain-Name
Netzwerkverwaltung
Rechter Winkel
Datennetz
Server
Projektive Ebene
Softwareentwickler
Tabelle <Informatik>
Offene Menge
Domain <Netzwerk>
Bit
Punkt
Prozess <Physik>
Minimierung
Adressraum
Schreiben <Datenverarbeitung>
Benutzerfreundlichkeit
Computeranimation
Übergang
Internetworking
Kernel <Informatik>
Internettelefonie
Konnektionismus
Router
Wurzel <Mathematik>
Default
Schnittstelle
Datennetz
Strömungsrichtung
Instantiierung
Bitrate
Domain-Name
Modem
Entscheidungstheorie
Rechter Winkel
Programmierumgebung
Tabelle <Informatik>
Schnittstelle
Subtraktion
Wellenpaket
Firewall
Selbst organisierendes System
Wasserdampftafel
Interaktives Fernsehen
Implementierung
Zahlenbereich
Web-Seite
Overlay-Netz
Code
Netzadresse
Unternehmensarchitektur
Physikalisches System
Domain-Name
Reelle Zahl
Datennetz
Adressraum
Endogene Variable
Gateway
Graphiktablett
Tabelle <Informatik>
Default
Validität
Routing
Physikalisches System
Binder <Informatik>
Quick-Sort
Einfache Genauigkeit
Office-Paket
Chipkarte
Objekt <Kategorie>
Patch <Software>
Gamecontroller
Bandmatrix
Unternehmensarchitektur
Resultante
Zentralisator
Bit
Punkt
Adressraum
PASS <Programm>
Kartesische Koordinaten
Gesetz <Physik>
Komplex <Algebra>
Computeranimation
Internetworking
Übergang
Datenmanagement
Fahne <Mathematik>
Gruppentheorie
Statistische Analyse
Skript <Programm>
Router
Broadcastingverfahren
Default
Schnittstelle
Funktion <Mathematik>
Internetworking
Sichtenkonzept
Datennetz
Quellcode
p-Block
Domain-Name
Entscheidungstheorie
Konfiguration <Informatik>
Menge
COM
Rechter Winkel
Routing
p-Block
Ordnung <Mathematik>
Instantiierung
Tabelle <Informatik>
Standardabweichung
Maschinenschreiben
Web Site
Subtraktion
Fluid
Zahlenbereich
Netzadresse
Demoszene <Programmierung>
Hypermedia
Domain-Name
Informationsmodellierung
Perspektive
Datennetz
Endogene Variable
Gateway
Konfigurationsraum
Demo <Programm>
Tabelle <Informatik>
Einfach zusammenhängender Raum
Data Encryption Standard
Diskretes System
Default
Validität
Einfache Genauigkeit
Schlussregel
Physikalisches System
Datenfluss
Mereologie
Wort <Informatik>
Innerer Punkt
Resultante
Bit
Domain <Netzwerk>
Prozess <Physik>
Computeranimation
Softwaretest
Hacker
Metropolitan area network
Schnittstelle
Kraftfahrzeugmechatroniker
Sichtenkonzept
Datennetz
Biprodukt
CAM
Frequenz
Domain-Name
Arithmetisches Mittel
Texteditor
Menge
Rechter Winkel
Zahlenbereich
Socket
Information
Instantiierung
MUD
Schnittstelle
Subtraktion
Klasse <Mathematik>
Physikalismus
Netzadresse
Open Source
Domain-Name
Adressraum
Datennetz
Optimierung
Softwareentwickler
Konfigurationsraum
Benutzeroberfläche
Booten
Vererbungshierarchie
Dämon <Informatik>
Softwarewerkzeug
Einfache Genauigkeit
Magnetooptischer Speicher
Binder <Informatik>
Elektronische Publikation
Quick-Sort
Office-Paket
Mereologie
Gamecontroller
Normalvektor
Dämon <Informatik>
MUD
Schnittstelle
Domain <Netzwerk>
Punkt
Prozess <Physik>
Entscheidungsmodell
Gruppenkeim
PASS <Programm>
Zahlenbereich
Framework <Informatik>
Netzadresse
Computeranimation
Richtung
Open Source
Virtuelle Maschine
Domain-Name
Einheit <Mathematik>
Algorithmus
Datenmanagement
Spieltheorie
Software
Adressraum
RFID
Maskierung <Informatik>
Skript <Programm>
Wurzel <Mathematik>
Konfigurationsraum
Schnittstelle
Tabelle <Informatik>
Beobachtungsstudie
Kraftfahrzeugmechatroniker
Datennetz
Vererbungshierarchie
Anwendungsspezifischer Prozessor
Schlussregel
Physikalisches System
CAM
Quick-Sort
Domain-Name
Konfiguration <Informatik>
Arithmetisches Mittel
Singularität <Mathematik>
COM
Rechter Winkel
Mereologie
p-Block
Instantiierung
Tabelle <Informatik>
Domain <Netzwerk>
Bit
Adressraum
Datenmanagement
PASS <Programm>
Schreiben <Datenverarbeitung>
Datensicherung
Gesetz <Physik>
Service provider
Computeranimation
Homepage
Richtung
Eins
Internetworking
Client
Router
Default
Gerade
Schnittstelle
Internetworking
Datennetz
Domain-Name
Entscheidungstheorie
Konfiguration <Informatik>
Arithmetisches Mittel
Dienst <Informatik>
Menge
COM
Server
Ablöseblase
Ordnung <Mathematik>
p-Block
Fehlermeldung
MUD
Schnittstelle
Proxy Server
Server
Subtraktion
Filetransferprotokoll
Hyperbelverfahren
Selbst organisierendes System
Zahlenbereich
Dienst <Informatik>
Netzadresse
Open Source
Virtuelle Maschine
Benutzerbeteiligung
Domain-Name
Weg <Topologie>
Informationsmodellierung
Datennetz
Proxy Server
Notebook-Computer
Konfigurationsraum
Einfach zusammenhängender Raum
Tabelle <Informatik>
Schlussregel
Physikalisches System
Elektronische Publikation
Binder <Informatik>
Quick-Sort
Boolesche Algebra
Resultante
Server
Bit
Punkt
Quader
Firewall
Adressraum
Gruppenkeim
PASS <Programm>
Zahlenbereich
Datensicherung
Netzadresse
Computeranimation
Internetworking
Richtung
Virtuelle Maschine
Bildschirmmaske
Datennetz
Datentyp
Gradientenverfahren
Gateway
COM
Greedy-Algorithmus
Konfigurationsraum
Default
Funktion <Mathematik>
Schnittstelle
Tabelle <Informatik>
Assoziativgesetz
Internetworking
Torus
Shape <Informatik>
Datennetz
Default
Schlussregel
Mailing-Liste
p-Block
Binder <Informatik>
Domain-Name
Rechenschieber
Angewandte Physik
Server
Kantenfärbung
p-Block
Innerer Punkt
Standardabweichung
Server
Domain <Netzwerk>
Programmiergerät
Firewall
PASS <Programm>
Zahlenbereich
Iteration
Schreiben <Datenverarbeitung>
Netzadresse
Computeranimation
Kernel <Informatik>
Virtuelle Maschine
Deskriptive Statistik
Fahne <Mathematik>
Datennetz
Minimum
Statistische Analyse
Wurzel <Mathematik>
Datenstruktur
Gerade
Funktion <Mathematik>
Schnittstelle
Tabelle <Informatik>
Softwaretest
Schreiben <Datenverarbeitung>
Internetworking
Befehl <Informatik>
Matching <Graphentheorie>
Datennetz
Default
Einfache Genauigkeit
Routing
Schlussregel
p-Block
Physikalisches System
Menge
Schlussregel
Domain-Name
Rechenschieber
Diagramm
Gruppenkeim
Turing-Maschine
Speicherabzug
p-Block
Innerer Punkt
Standardabweichung
Subtraktion
Server
Domain <Netzwerk>
Konfiguration <Informatik>
Adressraum
PASS <Programm>
Zahlenbereich
Netzadresse
Iteriertes Funktionensystem
Computeranimation
Spannweite <Stochastik>
Domain-Name
Bit
Fahne <Mathematik>
Datennetz
Adressraum
Statistische Analyse
Funktion <Mathematik>
Tabelle <Informatik>
Internetworking
Datennetz
Default
Abfrage
Domain-Name
Dienst <Informatik>
Gamecontroller
Innerer Punkt
Tabelle <Informatik>
Resultante
Distributionstheorie
Bit
Prozess <Physik>
Gewichtete Summe
Natürliche Zahl
Adressraum
PASS <Programm>
Kartesische Koordinaten
Bridge <Kommunikationstechnik>
Komplex <Algebra>
Gesetz <Physik>
Datensicherung
Raum-Zeit
Computeranimation
Homepage
Bit
Gruppe <Mathematik>
Mustersprache
Protokoll <Datenverarbeitungssystem>
Wurzel <Mathematik>
Kurvenanpassung
Korrelationsfunktion
Gerade
Schnittstelle
Softwaretest
Distributionstheorie
Sichtenkonzept
Gruppe <Mathematik>
Datennetz
Datenhaltung
Güte der Anpassung
Stellenring
Quellcode
Dreieck
Domain-Name
Konfiguration <Informatik>
Menge
Rechter Winkel
Dynamisches RAM
Socket
Information
Message-Passing
Tabelle <Informatik>
Aggregatzustand
Proxy Server
Subtraktion
Wasserdampftafel
Stab
Implementierung
Kombinatorische Gruppentheorie
Code
Netzadresse
Physikalische Theorie
Domain-Name
Spannweite <Stochastik>
Weg <Topologie>
Datennetz
Inhalt <Mathematik>
Optimierung
Konfigurationsraum
Leistung <Physik>
Tabelle <Informatik>
Einfach zusammenhängender Raum
Autorisierung
Protokoll <Datenverarbeitungssystem>
Default
Dämon <Informatik>
Schlussregel
Vektorraum
Physikalisches System
Automatische Handlungsplanung
Quick-Sort
Verdeckungsrechnung
Netzwerktopologie
Patch <Software>
Diagramm
Minimalgrad
Hypermedia
Injektivität
Mereologie
ART-Netz
Computeranimation

Metadaten

Formale Metadaten

Titel Using routing domains / routing tables in a production network
Serientitel The Technical BSD Conference 2015
Autor Hessler, Peter
Lizenz CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/18647
Herausgeber Berkeley System Distribution (BSD), Andrea Ross
Erscheinungsjahr 2015
Sprache Englisch

Technische Metadaten

Dauer 1:03:08

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract OpenBSD has supported routing domains (aka VRF-lite) since 4.6, released in 2009. In 2014, OpenBSD 5.5 gained support for IPv6 routing domains. At its most basic, routing domains are simply multiple routing tables in the same kernel. While seeming like a simple task, there are many gotchas involved in using routing domains in a production network. This talk will give a brief history, as well as some scenarios for why and how you would use routing domains, while describing several of the issues that came up during the initial deployments. Routing domains allows (for example) an airport to radically simplify their physical network configuration, saving costs and configuration overhead. A small demonstration network will be used to illustrate common and uncommon use cases.

Ähnliche Filme

Loading...