Adandilimbikitsa ku post iyi .
Ndikunena apa:
lero pa 18:53
Ndinakondwera ndi wothandizira lero. Pamodzi ndi kukonzanso dongosolo loletsa malo, mailer mail.ru ake adaletsedwa. Ndakhala ndikuyitana chithandizo chaumisiri kuyambira m'mawa, koma sangathe kuchita kalikonse. Woperekayo ndi wocheperako, ndipo mwachiwonekere opereka apamwamba amaletsa. Ndidawonanso kutsika pang'onopang'ono pakutsegulidwa kwamasamba onse, mwina adayika mtundu wina wa DLP wokhotakhota? Poyamba panalibe mavuto ndi mwayi. Kuwonongeka kwa RuNet kukuchitika pamaso panga ...
Chowonadi ndi chakuti zikuwoneka kuti ndife othandizira omwewo :)
Ndipo ndithu, Ndinkangoganizira zomwe zimayambitsa mavuto ndi mail.ru (ngakhale tinakana kukhulupirira chinthu choterocho kwa nthawi yaitali).
Zotsatirazi zidzagawidwa m'magawo awiri:
- zifukwa zamavuto athu apano ndi mail.ru ndi kufunitsitsa kosangalatsa kuwapeza
- kukhalapo kwa ISP muzochitika zamakono, kukhazikika kwa RuNet.
Mavuto opezeka ndi mail.ru
O, ndi nkhani yayitali ndithu.
Chowonadi ndi chakuti kuti tikwaniritse zomwe boma likufuna (zambiri mu gawo lachiwiri), tidagula, kukonza, ndikuyika zida zina - zonse zosefera zoletsedwa komanso kugwiritsa ntchito. olembetsa.
Kale, tidamanganso maziko a netiweki m'njira yoti anthu onse olembetsa adutse zida izi m'njira yoyenera.
Masiku angapo apitawo tinayatsa zosefera zoletsedwa (pamene timasiya dongosolo lakale likugwira ntchito) - zonse zinkawoneka kuti zikuyenda bwino.
Kenako, pang'onopang'ono adayamba kuloleza NAT pazida izi magawo osiyanasiyana olembetsa. Mβmaonekedwe ake, zonse zinkaonekanso kuti zikuyenda bwino.
Koma lero, popeza tathandizira NAT pazida za gawo lotsatira la olembetsa, kuyambira m'mawa womwe tidakumana ndi madandaulo ambiri okhudzana ndi kupezeka kapena kupezeka pang'ono. ndi zina zothandizira Mail Ru Group.
Iwo anayamba kufufuza: chinachake kwinakwake nthawi zina, nthawi ndi nthawi kutumiza poyankha zopempha za mail.ru network. Kuphatikiza apo, imatumiza yopangidwa molakwika (popanda ACK), mwachiwonekere TCP RST yopangira. Izi ndi zomwe zinkawoneka:
Mwachilengedwe, malingaliro oyamba anali okhudza zida zatsopano: DPI yoyipa, osakhulupirira, simudziwa zomwe ingachite - pambuyo pake, TCP RST ndichinthu chodziwika bwino pakati pa zida zotsekereza.
Kulingalira Timaperekanso lingaliro lakuti wina "wamkulu" akusefa, koma nthawi yomweyo anataya.
Choyamba, tili ndi zowongolera zokwanira kuti tisavutike chonchi :)
Kachiwiri, timalumikizana ndi angapo ku Moscow, ndipo traffic kupita ku mail.ru imadutsamo - ndipo alibe udindo kapena cholinga china chilichonse chosefera magalimoto.
Theka lotsatira la tsiku lidathera pa zomwe nthawi zambiri zimatchedwa shamanism - pamodzi ndi ogulitsa zida, zomwe timawathokoza, sanataye mtima :)
- kusefa kunali kozimitsidwa kwathunthu
- NAT idayimitsidwa pogwiritsa ntchito chiwembu chatsopano
- PC yoyeserera idayikidwa mu dziwe lakutali lakutali
- IP adilesi yasinthidwa
Madzulo, makina enieni adaperekedwa omwe amalumikizana ndi intaneti molingana ndi dongosolo la wogwiritsa ntchito nthawi zonse, ndipo oimira ogulitsa anapatsidwa mwayi wopeza ndi zipangizo. The shamanism anapitiriza :)
Pamapeto pake, woimira wogulitsayo adanena molimba mtima kuti zidazo zinalibe kanthu kochita nazo: zoyamba zimachokera kwinakwake kumtunda.
ndemangaPanthawiyi, wina anganene kuti: koma zinali zosavuta kuti mutenge kutaya osati kuchokera ku PC yoyesera, koma kuchokera mumsewu waukulu pamwamba pa DPI?
Ayi, mwatsoka, kutenga kutaya (komanso kungoyang'ana magalasi) 40 + gbps sizinthu zazing'ono.
Pambuyo pa izi, madzulo, panalibe kanthu kotsalira koma kubwerera ku lingaliro la kusefera kwachilendo kwinakwake pamwamba.
Ndidayang'ana momwe IX magalimoto opita kumanetiweki a MRG akudutsa ndikungoletsa magawo a bgp. Ndipo taonani, taonani! - Zonse nthawi yomweyo zidabwerera mwakale π
Kumbali imodzi, ndizochititsa manyazi kuti tsiku lonse linagwiritsidwa ntchito kufunafuna vutoli, ngakhale kuti linathetsedwa mu mphindi zisanu.
Komabe:
- m'chikumbukiro changa ichi ndi chinthu chomwe sichinachitikepo. Monga ndalemba kale pamwambapa - IX kwenikweni palibe chifukwa chosefa magalimoto. Nthawi zambiri amakhala ndi mazana a gigabits/terabits pamphindikati. Sindinathe kuganiza mozama ngati izi mpaka posachedwa.
- zochitika mwamwayi kwambiri: zida zatsopano zomwe sizidalilika kwenikweni komanso zomwe sizikudziwikiratu zomwe zingayembekezere - zomwe zimapangidwira makamaka kuletsa zinthu, kuphatikiza ma TCP RSTs.
NOC yapaintaneti iyi ikuyang'ana vuto. Malinga ndi iwo (ndipo ndimawakhulupirira), alibe makina osefera omwe amagwiritsidwa ntchito mwapadera. Koma, zikomo kumwamba, kufunafuna kwina sikulinso vuto lathu :)
Uku kunali kuyesa pang'ono kudzilungamitsa, chonde mvetsetsani ndikukhululuka :)
PS: Sindinatchule dala wopanga DPI / NAT kapena IX (kwenikweni, ndilibe ngakhale madandaulo apadera okhudza iwo, chinthu chachikulu ndikumvetsetsa chomwe chinali)
Zamasiku ano (komanso dzulo ndi dzulo dzulo) zenizeni kuchokera pakuwona kwa omwe amapereka intaneti
Ndakhala masabata apitawa ndikumanganso pachimake cha intaneti, ndikuchita zinthu zambiri "zopindulitsa", ndi chiopsezo chokhudza kwambiri anthu omwe ali ndi moyo. Poganizira zolinga, zotsatira ndi zotsatira za zonsezi, mwamakhalidwe ndizovuta kwambiri. Makamaka - kamodzinso kumvetsera zokamba zokongola za kuteteza bata la Runet, ulamuliro, etc. ndi zina zotero.
Mu gawoli, ndiyesera kufotokoza "chisinthiko" chapakati pa intaneti ya ISP wamba pazaka khumi zapitazi.
Zaka khumi zapitazo.
Munthawi zodalitsikazo, maziko a netiweki othandizira amatha kukhala osavuta komanso odalirika ngati kuchuluka kwa magalimoto:
Mu chithunzi chosavuta ichi, palibe mitengo ikuluikulu, mphete, ip/mpls mayendedwe.
Chofunikira chake ndikuti kuchuluka kwa ogwiritsa ntchito pamapeto pake kunafika pakusintha kwa kernel - kuchokera komwe amapita , kuchokera komwe, monga lamulo, imabwereranso ku kusintha kwapakati, ndiyeno "kutuluka" - kudzera pazipata zamalire imodzi kapena zingapo kupita pa intaneti.
Dongosolo lotere ndilosavuta, losavuta kusungitsa zonse pa L3 (mayendedwe amphamvu) ndi L2 (MPLS).
Mutha kukhazikitsa N + 1 pachilichonse: ma seva olowera, masiwichi, malire - ndi njira imodzi kapena yina kuwasungira kuti angolephera.
Patapita zaka zingapo Zinadziwika kwa aliyense ku Russia kuti sizingatheke kukhala ndi moyo wotere: kunali kofunika kuteteza ana ku chikoka choyipa cha intaneti.
Panali kufunikira kwachangu kupeza njira zosefera kuchuluka kwa osuta.
Pali njira zosiyanasiyana pano.
Muzovuta kwambiri, china chake chimayikidwa "pampata": pakati pa osuta ndi intaneti. Magalimoto omwe amadutsa "chinachake" ichi amawunikidwa ndipo, mwachitsanzo, paketi yabodza yokhala ndi kuwongoleranso imatumizidwa kwa olembetsa.
M'malo abwinoko pang'ono - ngati kuchuluka kwa magalimoto kukulolani - mutha kuchita chinyengo chaching'ono ndi makutu anu: tumizani zosefera zomwe zimachokera kwa ogwiritsa ntchito kupita ku ma adilesi omwe akuyenera kusefedwa (kuti muchite izi, mutha kutenga ma adilesi a IP. zotchulidwa pamenepo kuchokera ku registry, kapena onjezerani madera omwe alipo mu registry).
Panthawi ina, pazifukwa izi, ndinalemba zosavuta - ngakhale sindingathe kumutcha iye. Ndizosavuta komanso sizipanga phindu - komabe, zidatilola ife ndi ambiri (ngati si mazana) a othandizira ena kuti tisawononge mamiliyoni ambiri pamakina a DPI, koma adapereka zaka zingapo zowonjezera.
Mwa njira, za DPI yanthawiyo komanso yamakonoMwa njira, ambiri omwe adagula machitidwe a DPI omwe amapezeka pamsika panthawiyo anali atataya kale. Chabwino, iwo sanapangidwe kuti achite izi: mazana masauzande a ma adilesi, makumi masauzande a ma URL.
Ndipo nthawi yomweyo, opanga m'nyumba adawuka kwambiri pamsika uno. Sindikunena za chigawo cha hardware - chirichonse chikuwonekera kwa aliyense pano, koma mapulogalamu - chinthu chachikulu chomwe DPI ali nacho - mwina lero, ngati sichopambana kwambiri padziko lapansi, ndiye ndithudi a) kukulitsa ndi malire, ndi b) pamtengo wazinthu zamabokosi - osayerekezeka ndi opikisana nawo akunja.
Ndikufuna kunyada, koma zachisoni pang'ono =)
Tsopano zonse zidawoneka motere:
M'zaka zingapo aliyense anali kale ndi auditors; Panali zowonjezera zowonjezera mu registry. Kwa zida zina zakale (mwachitsanzo, Cisco 7600), dongosolo la "sefa m'mbali" linangokhala losagwiritsidwa ntchito: kuchuluka kwa misewu pamapulatifomu 76 kumangokhala ngati mazana asanu ndi anayi, pomwe kuchuluka kwa njira za IPv4 zokha lero zikuyandikira 800. zikwi. Ndipo ngati ilinso ipv6 ... Komanso ... ndi ndalama zingati? 900000 maadiresi paokha mu chiletso cha RKN? =)
Wina adasinthira ku chiwembu chokhala ndi magalasi a magalimoto onse amsana kupita ku seva yosefera, yomwe iyenera kusanthula kuyenda konse ndipo, ngati cholakwika chipezeka, tumizani RST mbali zonse ziwiri (wotumiza ndi wolandila).
Komabe, kuchulukirachulukira kwa magalimoto, dongosololi limakhala locheperako. Ngati pali kuchedwa pang'ono pakukonza, magalimoto owoneka bwino amangowuluka mosazindikira, ndipo wopereka adzalandira lipoti labwino.
Othandizira ochulukira akukakamizika kukhazikitsa machitidwe a DPI odalirika mosiyanasiyana m'misewu yayikulu.
Chaka chimodzi kapena ziwiri zapitazo malinga ndi mphekesera, pafupifupi FSB onse anayamba kufuna unsembe weniweni wa zida (m'mbuyomu, opereka chithandizo ambiri ankagwira ntchito movomerezeka ndi aboma Pulogalamu ya SORM - ndondomeko yoyendetsera ntchito ngati mukufuna kupeza chinachake kwinakwake)
Kuphatikiza pa ndalama (osati zochulukira ndendende, koma mamiliyoni), SORM inkafuna kusintha zina zambiri ndi netiweki.
- SORM ikuyenera kuwona ma adilesi "otuwa" musanamasulire nat
- SORM ili ndi malo ochepa olumikizira netiweki
Chifukwa chake, makamaka, tidayenera kumanganso gawo la kernel - kungoti tisonkhanitse kuchuluka kwa ogwiritsa ntchito kumaseva olowera kwinakwake pamalo amodzi. Kuti muwonetsere mu SORM ndi maulalo angapo.
Ndiko kuti, chophweka kwambiri, chinali (kumanzere) vs kukhala (kumanja):
Tsopano Othandizira ambiri amafunanso kukhazikitsidwa kwa SORM-3 - yomwe imaphatikizapo, mwa zina, kudula mawayilesi a nat.
Pazifukwa izi, tidayeneranso kuwonjezera zida zapadera za NAT pa chithunzi pamwambapa (ndendende zomwe zakambidwa mu gawo loyamba). Komanso, onjezani mu dongosolo linalake: popeza SORM iyenera "kuwona" magalimoto asanatanthauze maadiresi, magalimoto ayenera kupita motere: ogwiritsa ntchito -> kusintha, kernel -> ma seva -> SORM -> NAT -> kusintha, kernel - > Intaneti. Kuti tichite izi, tidayenera "kutembenuzira" mayendedwe amagalimoto mbali ina kuti tipeze phindu, zomwe zinali zovuta.
Ponseponse: m'zaka khumi zapitazi, mapangidwe apakati a wothandizira wamba akhala ovuta kwambiri, ndipo mfundo zowonjezera zolephera (zonse mu mawonekedwe a zida ndi mawonekedwe a mizere yosinthira imodzi) zawonjezeka kwambiri. Kwenikweni, kufunikira kwenikweni kwa βkuwona zonseβ kumatanthauza kuchepetsa βchilichonseβ ichi ku mfundo imodzi.
Ndikuganiza kuti izi zitha kufotokozedwa momveka bwino pazomwe zikuchitika kuti Runet ikhale yolamulira, kuiteteza, kuyikhazikitsa ndikuyikonza :)
Ndipo Yarovaya akadali patsogolo.
Source: www.habr.com