OSPF Flood Reduction

Posted Jun.11, 2010 under Networking, OSPF

By default OSPF floods its domain with LSAs every 30 mn, that is half of the Max-Age time which is of 1h to ensure that the LSA database across all routers of the domain are in sync and the network is properly converged.

While this acts as good failsafe in case LSA’s are dropped and LS databases across downstream routers become inconsistent when topology changes occur, it is reasonable on stable networks, to completely disable the LSA scheduled updates and only propagate LSA updates only once the network topology changes.

Doing so, sets the bit set of the LSA’s Age field to “DoNotAge“. That means the LSA will be flushed of the database only where there is a topology change.

Keep in mind that LSA with the DoNotAge bit set are not only generated when setting OSPF flood reduction but by default on “on-demand circuits” and “sham links”.

The IOS interface command will be ip ospf flood-reduction.

Cheers,

Ali

Tags: ,
Leave a Comment

Optimized Edge Routing – OER

Posted May.31, 2010 under BGP, Networking, OER

While they are many ways to optimize routing by aggregating many technologies together as using BGP with MPLS, it is often easier to simply fall back to OER to influence traffic routing based on Netflow events/IP-LSA, packet loss, response time, load balancing policies, line jitters and thus dynamically adapt route metrics, inject or remove routes using IGP/BGP.

OER is therefore able to automatically detect degradation/congestion on specific links and influence routing over alternate paths, based upon its configuration.

Having said that, in every deployed topology, there must be one “Master Controller OER”, either itself a border router or connecting to the border routers, each interface (inbound/outbound) of the border routers should be registered and under OER’s control. the MC router would then upload routing policies to the Border Routers, themselves connecting to the Wan links.

Now before we go on, it is important to keep in mind that OER only monitors outbound interfaces and will only control outward traffic. It will not affect Inter-domain routing nor asymmetrical routing.

There are 5 phases to remember when dealing with OER

1. Profile Phase

OER is running in “learning mode” during which it monitors the traffic flowing through the outbound interfaces ‘under its control’, evaluating traffic classes with a performance problem such high delays etc…

2. Measure Phase

Generated Performance Metrics of the Profiled traffic classes are then reported from the Border Routers to the Master Controller. Those Metrics can either be generated while OER evalues the traffic flowing through the data path or actively simulate the traffic to evaluate performance. Those 2 methodology are respectively refered as Passive and Active Monitoring.

3. Apply Policy Phase

This phase is actually quite miss-leading, as OER is simply evaluating traffic performance against a set of threasolds manually configured for each traffic class. For example, how many % of packet loss is acceptable for a specific traffic class or on a specific link etc.. The MC therefore will evaluate which flow is OOP (Out Of Policy). They are therefore 2 type of defined Policy, Traffic class Policies (Application, Prefixes) and Link Policies (Inbound/Outbound link).

4. Control Phase

Once the flow has been identified to be OOP, the MC will dynamically adjust the data path by injecting routes or modifying the routes using IGP or BGP and redirect the traffic from one exit to the other.

5. Verify Phase

Once the flow has been redirected, it is again evaluated as in “Policy Phase” and if determined to be in OOP, the changes are reverted back and the “Measure Phase” is triggered for the flow to be re-evaluated.

Tags: , ,
1 Comment

Linux Kernel Route Cache

Posted May.15, 2010 under Networking, Unix / Linux

To understand the importance of the routing cache, it is important to keep in mind and visualize the 3 main routing hash tables in use in the kernel for routing decisions… the Route Cache (what we will be discussing), the Route Policy Database and the Route Table. It is also in this order that the network subsystem queries the tables to make a forwarding decision. To display the “Route Cache”, one could simply issue the “ip route show cache” command.

[ kernel network subsystem ] —-> Route Cache || [ If no match ] —-> RPDB || [ If no match ] —-> Route Table

When the routing subsystem of the kernel is initialized, an exec of ip_rt_init is initiated.

void __init ip_init(void)
{
dev_add_pack(&ip_packet_type);
ip_rt_init();
inet_initpeers();
#ifdef CONFIG_IP_MULTICAST
proc_net_create("igmp", 0, ip_mc_procinfo);
#endif
}

(source: linux/net/ipv4/ip_output.c)

Part of ip_rt_init is to allocate the memory set to be used to cache the network routes but also to initialize global variables such as rt_hash_table and rt_hash_rnd and many others.

You can view the details of the ip_rt_init function in /net/ipv4/route.c

rt_hash_table defines a hash table of the route cache with rt_hash_mask holding its size. An easy way to check the size of the routing cache table is to look in dmesg, by grepping “IP route”

aabbas@mig:~$ dmesg |grep “IP route”
[    1.814492] IP route cache hash table entries: 262144 (order: 9, 2097152 bytes)

The max size of the route cache is configurable through /proc/sys/net/ipv4/route/max_size. That being said, the current size is determined when booting in junction with the amount of ram available; furthermore to prevent the size of the hash to exceed the max_size, the kernel makes use of a garbage collector gc_tresh

When an interface goes down/up or a new changes take place which would affect the routing cache, the kernel executes rt_cache_flush which in returns executes rt_run_flush.Many events such as IP removal, removal of interfaces etc… trigger the route cache to be flushed, however keep in mind, that periodically it will be flushed based on the value of rt_secret_timer. The time value is configurable in /proc/sys/net/ipv4/route/secret_interval.

To trigger a route cache flush, issue

echo -1 > /proc/sys/net/ipv4/route/flush or ip route flush cache

ip_rt_min_delay and ip_rt_max_delay define the time within which the flush would occur, setting the ip_rt_min_delay value to 0 would immediately ensure that the cache is flushed when rt_run_flush is triggered.

I have only tackled a tiny aspect of the Route Cache network subsystems and hopefully this gives some basic ideas unto which to build to get a grounded understanding on how the global subsystem operates at the Network Stack – having said that, the routing cache is only one subset of all its functions.

Cheers,

Ali

Tags: , ,
Leave a Comment

Cisco IOS Trojan – well not really

Posted May.12, 2010 under General

Hi there!

Jeremy on “evilrouters.net” issued a post regarding a white-paper published on the GCIH website, the paper is entitled “IOSTrojan: Who really owns your router?“. The pdf is available at this link and is about 26 pages. Being curious as to all things IT, especially in the domains of Networking and Unix, I dived in and read the pdf in its integrality and here is my take

In the major part of this article, the author mainly focus on demonstrating how a tcl script executed could lure the user into being in an ios shell and not tcl shell by parsing and handling most of the IOS commands. While the author makes a good point for anyone not being aware of the tcl script setup, it makes me wonder as to which extend, a scenario as such would take place in a production environment and whether this would qualify as such as a Trojan, since the code process of execution is not hidden from the user’s view, which itself brings me to the following question: “who does run a tcl script on a production network equipment without source reading it?”

Last but not least, yet again another reminder that the weakest link in a deployed environment (whether it be a deployed network or server farms) is the design and maintenance of the security guideline and practices.

Tags:
Leave a Comment

OSPF LSA Types

Posted May.06, 2010 under Networking, OSPF

Following my blog post on OSPF BDR – DR election, I have received various questions regarding OSPF and thus I decided to write a small excerpt to describe the type of LSAs generated whether it is in a stub area etc…

Before I start, it is important to keep in mind, that LSAs are carried into OSPF packet 4 . Those OSPF packet 4 are referred as LSU (Link-State Update) and carries the router’s LSA (one or more).

Now, they are 11 type of LSAs, however LSA 6 – 8/9/10/11 will not be covered in this post but in another post

LSA-1 – Router Link LSA

By default all routers in an OSPF area will be sending LSA updates of type 1. Those LSA never gets forwarded out of the area and are sent by each member to inform the other members of its links states, adjacencies (stub interfaces etc..) and cost to the area.

LSA-2 – Network Link LSA

Back to my previous post, this LSA is only generated by the DR (Designated Router); it is generated to inform the routers within its area, which routers are all part of the same segment.

LSA-3 – Network Summary Link

This LSA is only generated by the ABR and exchanged between the areas. It allows routing and communication between the areas as the ABR agregates the routes it learns.

LSA-4 – AS External ASBR Summary Link

Sent from an ABR to the routers in its area, it defines the next hop to reach the external routes advertized by the ASBR

LSA-5 – External Link LSA

This LSA is generated by an ASBR. It contains the routes redistributed into the area. When looking at the routing table, you will see that those routes will have an appendix of E1 or E2.

LSA 7 – NSSA External LSA

This LSA is also generated by the ASBR inside a NSSA, it describes the routes that have been distributed into the NSSA. Furthermore, keep in mind that as the LSA leaves the NSSA to the backbone, it is translated as an LSA type 5 (LSA-5). When looking at the routing table, you will see that those routes have an appendix of N1 or N2.*

As a short summary

  • Standard areas – LSA type { 1 – 2 – 3 – 4 – 5 }
  • Stub areas – LSA type { 1 – 2 – 3 }
  • Totally stubby areas – LSA type { 1 – 2 – 3 }
  • Not-so-stubby areas – LSA type { 5 – 7 }
Tags: ,
Leave a Comment