Ya sa ni zuwa wannan post din .
Na kawo shi a nan:
yau da karfe 18:53
Na yi farin ciki da mai bayarwa a yau. Tare da sabuntawa na tsarin toshe rukunin yanar gizon, an dakatar da mailer sa mail.ru. Tun da safe nake kiran goyan bayan fasaha, amma ba za su iya yin komai ba. Mai bayarwa karami ne, kuma a fili masu samar da matsayi mafi girma suna toshe shi. Na kuma lura da raguwar buɗewar duk rukunin yanar gizon, watakila sun shigar da wasu nau'ikan DLP na karkatacciyar hanya? A baya babu matsaloli tare da shiga. Lalacewar RuNet yana faruwa daidai a idanuna ...
Gaskiyar ita ce, da alama mu ɗaya ne mai bayarwa :)
Kuma lallai, Na kusan gane dalilin matsalolin da mail.ru (ko da yake mun ki yarda da irin wannan abu na dogon lokaci).
Za a raba abin da ke gaba zuwa kashi biyu:
- dalilan matsalolinmu na yanzu tare da mail.ru da kuma neman mai ban sha'awa don nemo su
- kasancewar ISP a cikin al'amuran yau, kwanciyar hankali na RuNet mai iko.
Matsalolin samun dama tare da mail.ru
Oh, labari ne mai tsayi.
Gaskiyar ita ce, don aiwatar da bukatun jihar (ƙarin cikakkun bayanai a kashi na biyu), mun sayi, tsarawa, da shigar da wasu kayan aiki - duka don tace abubuwan da aka haramta da kuma aiwatarwa. masu biyan kuɗi.
Wani lokaci da ya gabata, a ƙarshe mun sake gina cibiyar sadarwar ta yadda duk zirga-zirgar masu biyan kuɗi suka wuce ta wannan kayan aikin ta hanyar da ta dace.
Bayan 'yan kwanaki da suka gabata mun kunna haramtaccen tacewa akan shi (yayin barin tsohon tsarin yana aiki) - duk abin da ya yi kama da kyau.
Bayan haka, a hankali sun fara ba da damar NAT akan wannan kayan aikin don sassa daban-daban na masu biyan kuɗi. Daga ganinsa komai shima yayi kyau.
Amma a yau, bayan ba da damar NAT akan kayan aiki don ɓangaren masu biyan kuɗi na gaba, tun da safe mun fuskanci korafe-korafe masu yawa game da rashin samuwa ko samuwar wani bangare. da sauran albarkatun Rukunin Mail.
Suka fara dubawa: wani abu a wani wuri wani lokaci, lokaci-lokaci aika don amsa buƙatun musamman ga cibiyoyin sadarwar mail.ru. Bugu da ƙari, yana aika da ba daidai ba (ba tare da ACK ba), a fili TCP RST na wucin gadi. Ga yadda abin ya kasance:
A dabi'ance, na farko tunani game da sabon kayan aiki: m DPI, babu amincewa da shi, ba za ka taba sanin abin da zai iya yi - bayan duk, TCP RST ne wani fairly gama gari tsakanin tarewa kayayyakin aiki.
Tsammani Mun kuma gabatar da ra'ayin cewa wani "mafi girma" yana tacewa, amma nan da nan muka watsar da shi.
Da fari dai, muna da isassun isassun hanyoyin haɗin kai don kada mu sha wahala kamar haka :)
Na biyu, an haɗa mu zuwa da yawa a Moscow, kuma zirga-zirga zuwa mail.ru yana tafiya ta hanyar su - kuma ba su da wani nauyi ko wani dalili don tace zirga-zirga.
Rabin na gaba na rana an kashe shi akan abin da ake kira shamanism - tare da mai siyar da kayan aiki, wanda muke gode musu, ba su daina ba :)
- Tace gaba daya ta lalace
- An kashe NAT ta amfani da sabon tsarin
- PC ɗin gwajin an sanya shi a cikin wani keɓaɓɓen tafkin
- An canza adireshin IP
Da rana, an ba da na'ura mai mahimmanci wanda aka haɗa da hanyar sadarwa bisa ga tsarin mai amfani na yau da kullum, kuma an ba wa wakilan mai siyarwa damar yin amfani da shi da kayan aiki. Shamanism ya ci gaba :)
A ƙarshe, wakilin mai siyar da tabbacin ya bayyana cewa kayan aikin ba su da wata alaƙa da shi: rsts sun fito ne daga wani wuri mafi girma.
ПримечаниеA wannan lokaci, wani yana iya cewa: amma ya fi sauƙi don ɗaukar juji ba daga PC ɗin gwajin ba, amma daga babbar hanya sama da DPI?
A'a, da rashin alheri, ɗaukar juji (har ma da madubi kawai) 40+gbps ba komai bane.
Bayan haka, da yamma, babu abin da ya rage sai dai komawa ga tunanin bakon tacewa a wani wuri a sama.
Na duba ta wane IX zirga-zirga zuwa cibiyoyin sadarwar MRG ke wucewa kuma kawai na soke zaman bgp zuwa gare shi. To, sai ga! - Nan take komai ya dawo normal 🙁
A gefe guda, abin kunya ne cewa an kashe dukan yini don neman matsalar, ko da yake an warware shi a cikin minti biyar.
A wannan bangaren:
- A cikin ƙwaƙwalwar ajiyar wannan abu ne da ba a taɓa gani ba. Kamar yadda na riga na rubuta a sama - IX da gaske babu amfanin tace zirga-zirgar ababen hawa. Yawanci suna da ɗaruruwan gigabits/terabits a cikin daƙiƙa guda. Ba zan iya tunanin wani abu kamar wannan da gaske ba sai kwanan nan.
- daidaituwar yanayi mai ban sha'awa mai ban sha'awa: sabon kayan aiki mai rikitarwa wanda ba a amince da shi ba kuma ba a bayyana abin da za a iya tsammani ba - wanda aka keɓance musamman don toshe albarkatu, gami da TCP RSTs.
NOC na wannan musayar intanet a halin yanzu yana neman matsala. A cewar su (kuma na yi imani da su), ba su da wani tsarin tacewa na musamman. Amma, na gode sammai, ƙarin neman ba shine matsalarmu ba :)
Wannan ƙaramin ƙoƙari ne na gaskata kaina, don Allah ku fahimta kuma ku gafarta :)
PS: Da gangan ban ambaci sunan mai kera DPI/NAT ko IX ba (a zahiri, ba ni da wani gunaguni na musamman game da su, babban abu shine fahimtar menene)
Gaskiyar yau (da ta jiya da ta jiya) ta mahangar mai samar da Intanet.
Na shafe makonnin da suka gabata mahimmanci sake gina ainihin hanyar sadarwar, tare da yin gungun manipulations "don riba", tare da haɗarin tasiri mai mahimmanci na zirga-zirgar mai amfani. Yin la'akari da manufofin, sakamakon da sakamakon duk wannan, a halin kirki duk yana da wuyar gaske. Musamman - sake sauraron jawabai masu kyau game da kare zaman lafiyar Runet, mulkin mallaka, da dai sauransu. da sauransu.
A cikin wannan sashe, zan yi ƙoƙarin bayyana "juyin halitta" na cibiyar sadarwa na ISP na yau da kullum a cikin shekaru goma da suka gabata.
Shekaru goma da suka wuce.
A waɗancan lokatai masu albarka, ainihin hanyar sadarwar mai bayarwa na iya zama mai sauƙi kuma abin dogaro kamar cunkoson ababen hawa:
A cikin wannan hoto mai sauƙi, babu gangar jikin, zobe, ip/mpls routing.
Mahimmancin sa shi ne cewa zirga-zirgar mai amfani a ƙarshe ya zo matakin kernel yana canzawa - daga inda ya tafi , daga inda, a matsayin mai mulkin, komawa zuwa ainihin sauyawa, sa'an nan kuma "fita" - ta hanyar ɗaya ko fiye da iyakokin iyaka zuwa Intanet.
Irin wannan makircin yana da sauqi da sauqi don ajiyewa duka akan L3 (tsari mai ƙarfi) da kuma akan L2 (MPLS).
Kuna iya shigar da N+1 na kowane abu: samun damar sabobin, masu sauyawa, iyakoki - da wata hanya ko wata ta ajiye su don gazawar atomatik.
Bayan 'yan shekaru Ya zama a fili ga kowa da kowa a Rasha cewa ba zai yiwu a ci gaba da rayuwa irin wannan ba: yana da gaggawa don kare yara daga mummunar tasirin Intanet.
Akwai buƙatar gaggawa don nemo hanyoyin tace zirga-zirgar mai amfani.
Akwai hanyoyi daban-daban a nan.
A cikin yanayin da ba shi da kyau sosai, an sanya wani abu "a cikin rata": tsakanin zirga-zirgar mai amfani da Intanet. Ana bincikar zirga-zirgar da ke wucewa ta wannan “wani abu” kuma, alal misali, fakitin karya tare da turawa ana aika zuwa mai biyan kuɗi.
A cikin mafi kyawun yanayin - idan adadin zirga-zirgar zirga-zirga ya ba da izini - zaku iya yin ƙaramin dabara tare da kunnuwanku: aika don tacewa kawai zirga-zirgar ababen hawa da suka samo asali daga masu amfani kawai zuwa waɗancan adiresoshin da ake buƙatar tacewa (don yin wannan, zaku iya ɗaukar adiresoshin IP ko dai. ƙayyadaddun wurin daga wurin yin rajista, ko kuma ƙara warware wuraren da ke akwai a cikin rajista).
A wani lokaci, don waɗannan dalilai, na rubuta mai sauƙi - ko da yake ban ma kuskura na kira shi ba. Abu ne mai sauqi qwarai kuma ba mai fa'ida sosai ba - duk da haka, ya ba mu damar da yawa (idan ba ɗaruruwan ba) na sauran masu samar da su ba nan da nan harsashi miliyoyin akan tsarin DPI na masana'antu, amma ya ba da ƙarin ƙarin shekaru da yawa.
Af, game da lokacin da na yanzu DPIAf, da yawa waɗanda suka sayi tsarin DPI da ake samu a kasuwa a wancan lokacin sun riga sun jefar da su. To, ba a tsara su don wannan ba: dubban ɗaruruwan adireshi, dubban URLs.
Kuma a sa'i daya kuma, masana'antun cikin gida sun tashi sosai zuwa wannan kasuwa. Ba na magana ne game da bangaren hardware - komai ya bayyana ga kowa a nan, amma software - babban abin da DPI ke da shi - watakila a yau, idan ba mafi ci gaba a duniya ba, to lalle ne a) tasowa ta hanyar tsalle-tsalle da iyakoki, da b) a farashin samfurin akwati - kawai wanda ba zai iya kwatantawa da masu fafatawa na kasashen waje.
Ina so in yi alfahari, amma ɗan bakin ciki =)
Yanzu komai yayi kama da haka:
A cikin wasu shekaru biyu kowa ya riga ya sami masu dubawa; Akwai ƙarin albarkatu a cikin rajistar. Ga wasu tsofaffin kayan aiki (alal misali, Cisco 7600), tsarin "tace-gefe" kawai ya zama wanda ba zai iya amfani da shi ba: yawan hanyoyin da ke kan dandamali 76 yana iyakance ga wani abu kamar dubu ɗari tara, yayin da adadin hanyoyin IPv4 kadai a yau yana gabatowa 800. dubu. Idan kuma ipv6 ne... Haka kuma... nawa ne? adiresoshin guda 900000 a cikin haramcin RKN? =)
Wani ya canza zuwa makirci tare da madubi na duk zirga-zirgar kashin baya zuwa uwar garken tacewa, wanda ya kamata yayi nazarin dukkan kwararar kuma, idan an sami wani abu mara kyau, aika RST a duk kwatance (mai aikawa da mai karɓa).
Koyaya, yawan zirga-zirgar zirga-zirga, ƙarancin amfani da wannan tsarin shine. Idan an sami ɗan jinkiri a cikin sarrafawa, madubin zirga-zirgar ababen hawa za su tashi kawai ba tare da an lura da su ba, kuma mai bayarwa zai sami kyakkyawan rahoto.
Ana tilasta wa masu samarwa da yawa shigar da tsarin DPI na matakan aminci daban-daban a cikin manyan tituna.
Shekara daya ko biyu da suka wuce bisa ga jita-jita, kusan dukkanin FSB sun fara buƙatar ainihin shigarwa na kayan aiki (a baya, yawancin masu samarwa suna gudanar da su tare da izini daga hukumomi Tsarin SORM - wani shiri na matakan aiki idan akwai buƙatar samun wani abu a wani wuri)
Bugu da ƙari, kuɗi (ba daidai ba ne, amma har yanzu miliyoyin), SORM yana buƙatar ƙarin magudi tare da hanyar sadarwa.
- SORM yana buƙatar ganin adiresoshin mai amfani "launin toka" kafin fassarar nat
- SORM yana da iyakataccen adadin mu'amalar hanyar sadarwa
Saboda haka, musamman, dole ne mu sake gina wani yanki na kwaya - kawai don tattara zirga-zirgar masu amfani zuwa sabar shiga wani wuri a wuri guda. Domin a yi kama da shi a cikin SORM tare da hanyoyi da yawa.
Wato, an sauƙaƙa sosai, ya kasance (hagu) vs ya zama (dama):
Yanzu Yawancin masu samarwa kuma suna buƙatar aiwatar da SORM-3 - wanda ya haɗa da, a tsakanin sauran abubuwa, shiga nat watsa shirye-shirye.
Don waɗannan dalilai, dole ne mu ƙara kayan aiki daban don NAT zuwa zanen da ke sama (daidai abin da aka tattauna a ɓangaren farko). Bugu da ƙari, ƙara a cikin wani tsari: tun da SORM dole ne "gani" zirga-zirga kafin fassarar adireshi, dole ne zirga-zirga ya tafi daidai kamar haka: masu amfani -> sauyawa, kernel -> sabobin shiga -> SORM -> NAT -> sauyawa, kernel - > Intanet. Don yin wannan, dole ne mu zahiri "juya" zirga-zirgar zirga-zirgar ababen hawa zuwa wata hanya don riba, wanda kuma ya kasance mai wahala.
A taƙaice: a cikin shekaru goma da suka gabata, ainihin ƙira na matsakaicin mai bada ya zama sau da yawa mafi rikitarwa, kuma ƙarin maki na gazawar (duka a cikin nau'i na kayan aiki da kuma nau'i na layi daya) sun karu sosai. A zahiri, ainihin abin da ake buƙata don “ga komai” yana nufin rage wannan “komai” zuwa aya ɗaya.
Ina tsammanin wannan za a iya bayyana shi a sarari ga shirye-shiryen yanzu don mulkin Runet, kare shi, daidaita shi da inganta shi :)
Kuma Yarovaya yana gaba.
source: www.habr.com