Undazise kule post .
Ndiyicaphula apha:
namhlanje ngo 18:53
Bendikholisiwe ngumboneleli namhlanje. Kanye kunye nohlaziyo lwenkqubo yokuvimbela indawo, i-mail.ru yakhe ivaliwe.Ndiye ndabiza inkxaso yezobuchwepheshe ukususela ekuseni, kodwa abanako ukwenza nantoni na. Umboneleli mncinane, kwaye kubonakala ukuba ababoneleli bezinga eliphezulu bayayivimba. Kwakhona ndaqaphela ukucotha ekuvuleni kwazo zonke iisayithi, mhlawumbi bafake uhlobo oluthile lwe-DLP egoso? Ngaphambili bekungekho ngxaki ngofikelelo. Ukutshatyalaliswa kweRuNet kwenzeka phambi kwamehlo am ...
Inyani kukuba kubonakala ngathi singababoneleli abafanayo :)
Kwaye ngokwenene, Ndiphantse ndaqikelela isizathu seengxaki nge-mail.ru (nangona salile ukukholelwa kwinto enjalo ixesha elide).
Oku kulandelayo kuya kwahlulwa kubini:
- izizathu zeengxaki zethu zangoku nge-mail.ru kunye nomnqweno onomdla wokuzifumana
- ubukho be-ISP kwizinto zokwenyani zanamhlanje, uzinzo lwe-RuNet eyongamileyo.
Iingxaki zokufikelela kwi-mail.ru
Owu, libali elide kakhulu.
Inyani kukuba, ukuze kuphunyezwe iimfuno zikarhulumente (iinkcukacha ezithe vetshe kwicandelo lesibini), sathenga, saqwalasela, saza safakela izixhobo ezithile - zombini ukuhluza izibonelelo ezingavumelekanga kunye nokuphumeza. ababhalisile.
Kwixesha elidlulileyo, ekugqibeleni sakha kwakhona undoqo wenethiwekhi ngendlela yokuba bonke abantu ababhalisileyo badlule kwesi sixhobo ngokungqongqo kwicala elifanelekileyo.
Kwiintsuku ezimbalwa ezidlulileyo savula ukuhluzwa okungavumelekanga kuyo (ngelixa sishiya inkqubo endala isebenza) - yonke into yayibonakala ihamba kakuhle.
Emva koko, ngokuthe ngcembe baqala ukwenza i-NAT kwesi sixhobo kwiindawo ezahlukeneyo zababhalisi. Ngokwenkangeleko yayo, yonke into nayo yayibonakala ihamba kakuhle.
Kodwa namhlanje, ukwenza ukuba i-NAT isebenze kwisixhobo senxalenye elandelayo yababhalisi, ukusukela kusasa besijongene nenani elifanelekileyo lezikhalazo malunga nokungafumaneki okanye ukufumaneka kancinci. kunye nezinye izixhobo ze-Mail Ru Group.
Baqala ukujonga: into ethile kwindawo ethile ngamanye amaxesha, ngamaxesha athile iyathumela ekuphenduleni izicelo ngokukodwa kwiinethiwekhi ze-mail.ru. Ngaphezu koko, ithumela ngendlela engafanelekanga eyenziwe (ngaphandle kwe-ACK), ngokucacileyo i-TCP RST yokwenziwa. Nantsi indlela ebikhangeleka ngayo:
Ngokwemvelo, iingcamango zokuqala zazimalunga nezixhobo ezitsha: i-DPI eyoyikisayo, akukho ntembelo kuyo, awukwazi ukuba yintoni enokuyenza - emva kwayo yonke into, i-TCP RST yinto eqhelekileyo phakathi kwezixhobo zokuthintela.
Ingcinga Sikwabeka phambili umbono wokuba umntu βophezuluβ uyahluza, kodwa wayilahla kwangoko.
Okokuqala, sinee-uplinks eziphilileyo ngokwaneleyo ukuze singabandezeleki ngolu hlobo :)
Okwesibini, sidityaniswe nezininzi eMoscow, kunye ne-traffic kwi-mail.ru ihamba nabo - kwaye abanalo uxanduva okanye nayiphi na enye injongo yokucoca i-traffic.
Isiqingatha esilandelayo sosuku sachithwa kwinto ebizwa ngokuba yi-shamanism - kunye nomthengisi wezixhobo, esibabulelayo, abazange banikezele :)
- ukuhluza kwacinywa ngokupheleleyo
- I-NAT iye yacinywa kusetyenziswa inkqubo entsha
- i-PC yovavanyo yafakwa kwidama elizimeleyo elahlukileyo
- Idilesi ye-IP itshintshiwe
Emva kwemini, kwabelwa umatshini obonakalayo oqhagamshelwe kwinethiwekhi ngokweskimu somsebenzisi oqhelekileyo, kwaye abameli bomthengisi banikwe ukufikelela kuyo kunye nezixhobo. I-shamanism iqhubekile :)
Ekugqibeleni, ummeli womthengisi wathetha ngokuzithemba ukuba i-hardware ayinanto yakwenza nayo: i-rsts ivela kwindawo ephezulu.
Qaphela:Ngeli nqanaba, umntu unokuthi: kodwa kwakulula kakhulu ukuthatha ukulahla kungekhona kwi-PC yokuvavanya, kodwa ukusuka kuhola wendlela ongaphezulu kwe-DPI?
Hayi, ngelishwa, ukuthatha i-dump (kwaye kunye nesibuko nje) 40 + gbps ayiyinto encinci.
Emva koku, ngokuhlwa, kwakungekho nto iseleyo yokwenza ngaphandle kokubuyela kwingcinga yokuhluza okungaqhelekanga kwindawo ethile ngaphezulu.
Ndajonga ukuba yeyiphi i-IX i-traffic eya kwinethiwekhi ye-MRG ngoku idlulayo kwaye ndacima iiseshoni ze-bgp kuyo. Kwaye khangela! -yonke into yakhawuleza yabuyela kwimeko yesiqhelo π
Ngakolunye uhlangothi, lihlazo ukuba imini yonke yachithwa ukukhangela ingxaki, nangona yasombululwa ngemizuzu emihlanu.
Kwelinye icala:
- kwinkumbulo yam le yinto engazange ibonwe ngaphambili. Njengoko sele ndibhale ngasentla - IX ngokwenene akukho sizathu sokuhluza i-traffic transit. Ngokuqhelekileyo banamakhulu egigabits/terabits ngomzuzwana. Andizange ndikwazi ukucinga into enje kude kube ngoku.
-into eyenzeka ngethamsanqa emangalisayo yeemeko: i-hardware entsha entsonkothileyo engathembekanga ngokukodwa kwaye ekungacaciyo ukuba yintoni enokulindeleka - ilungiselelwe ngokukodwa ukuthintela izixhobo, kubandakanya i-TCP RSTs.
I-NOC yolutshintshiselwano lwe-intanethi okwangoku ijonge ingxaki. Ngokutsho kwabo (kwaye ndiyabakholelwa), abanayo inkqubo yokucoca ebekwe ngokukodwa. Kodwa, enkosi mazulu, enye imfuno ayiseyongxaki yethu :)
Eli yayililinge elincinci lokuzithethelela, nceda uqonde kwaye uxolele :)
I-PS: Andizibizi ngamabomu umenzi we-DPI / NAT okanye i-IX (enyanisweni, andinayo izikhalazo ezikhethekileyo malunga nabo, into ephambili kukuqonda ukuba yintoni)
Inyani yanamhlanje (kunye neyezolo kunye nosuku olungaphambi kwayizolo) ngokwembono yomnikezeli we-Intanethi.
Ndichithe iiveki zokugqibela ngokubalulekileyo ngokuphinda ndakha ingundoqo yenethiwekhi, ndenza iqela lezinto ezikhohlisayo "ngenzuzo", kunye nomngcipheko wokuchaphazela kakhulu i-traffic yomsebenzisi ophilayo. Ukuqwalasela iinjongo, iziphumo kunye nemiphumo yako konke oku, ngokuziphatha kunzima kakhulu. Ngokukodwa - kwakhona ukuphulaphula iintetho ezintle malunga nokukhusela ukuzinza kweRunet, ulongamo, njl. kwaye nangokunjalo.
Kweli candelo, ndiza kuzama ukuchaza "ukuziphendukela kwemvelo" kwesiseko sothungelwano lwe-ISP eqhelekileyo kule minyaka ilishumi idlulileyo.
Kwiminyaka elishumi eyadlulayo.
Ngaloo maxesha asikelelekileyo, undoqo wothungelwano lomnikezeli unokuba lula kwaye uthembekile njenge-traffic jam:
Kulo mfanekiso kakhulu, lula kakhulu, akukho trunks, amakhonkco, ip/mpls umzila.
Undoqo wayo kukuba i-traffic traffic ekugqibeleni yafika kwinqanaba le-kernel yokutshintsha- ukusuka apho iye khona , ukusuka apho, njengomthetho, ubuyela kwi-core switching, kwaye emva koko "ngaphandle" - ngesango elinye okanye ngaphezulu komda kwi-Intanethi.
Iskimu esinjalo silula kakhulu ukusigcina zombini kwi-L3 (umzila oguqukayo) nakwi-L2 (MPLS).
Ungafaka i-N + 1 yayo nayiphi na into: iiseva zokufikelela, iiswitshi, imida - kunye nendlela enye okanye enye igcinelwe ukuhluleka okuzenzekelayo.
Emva kweminyaka embalwa Kwacaca kuye wonke umntu waseRashiya ukuba kwakungenakwenzeka ukuhlala ngolu hlobo: kwakungxamisekile ukukhusela abantwana kwimpembelelo eyingozi ye-Intanethi.
Bekukho imfuneko engxamisekileyo yokufumana iindlela zokucoca itrafikhi yabasebenzisi.
Kukho iindlela ezahlukeneyo apha.
Kwimeko engalunganga kakhulu, kukho into ebekwe "kwisithuba": phakathi kwetrafikhi yomsebenzisi kunye ne-Intanethi. I-traffic edlula kule "nto" ihlalutywa kwaye, umzekelo, ipakethi yobuxoki kunye nokuhanjiswa kwakhona ithunyelwa kumrhumeli.
Kwimeko engcono kancinci- ukuba umthamo wetrafikhi uyakuvumela-ungenza iqhinga elincinci ngeendlebe zakho: thumela ukucoca kuphela itrafikhi evela kubasebenzisi ukuya kwezo dilesi zifuna ukuhluzwa (ukwenza oku, unokuthatha iidilesi ze-IP. echazwe apho kubhaliso, okanye ukongeza ukusombulula iindawo ezikhoyo kubhaliso).
Ngesinye isikhathi, ngenxa yezi njongo, ndabhala elula - nangona ndingade ndimbize ngolo hlobo. Ilula kakhulu kwaye ayivelisi kakhulu - nangona kunjalo, yasivumela kunye nenqwaba (ukuba ayingomakhulu) abanye ababoneleli ukuba bangakhupheli ngokukhawuleza izigidi kwiinkqubo ze-DPI zoshishino, kodwa banike iminyaka emininzi eyongezelelweyo yexesha.
Ngendlela, malunga ne-DPI yangoku kunye neyangokuNgendlela, abaninzi abathenga iinkqubo ze-DPI ezikhoyo kwiimarike ngelo xesha sele bezilahlile. Ewe, azenzelwe oku: amakhulu amawaka eedilesi, amashumi amawaka ee-URL.
Kwaye kwangaxeshanye, abavelisi basekhaya banyuke kakhulu kule marike. Andithethi malunga necandelo le-hardware - yonke into icacile kuwo wonke umntu apha, kodwa isofthiwe - eyona nto i-DPI inayo-mhlawumbi namhlanje, ukuba ayiyona iphambili kwihlabathi, ngoko ngokuqinisekileyo a) ukuphuhlisa ngokuxhuma kunye nemida, kunye b) ngexabiso lemveliso efakwe kwibhokisi - ngokulula ayinakuthelekiswa nabakhuphisana bangaphandle.
Ndingathanda ukuba nebhongo, kodwa ndibuhlungu kancinci =)
Ngoku yonke into yayijongeka ngolu hlobo:
Kwiminyaka embalwa engakumbi wonke umntu wayesele enabaphicothi-zincwadi; Kwakukho izixhobo ezininzi ngakumbi kwirejista. Kwezinye izixhobo ezindala (umzekelo, iCisco 7600), iskimu "sokucoca ecaleni" siye saba singasebenzi: inani leendlela kwiiplatifti ze-76 lilinganiselwe kwinto efana namakhulu alithoba amawaka, ngelixa inani leendlela ze-IPv4 zodwa namhlanje zisondela kwi-800. Iwaka. Kwaye ukuba ikwayi-ipv6... Kwaye kwakhona... yimalini ekhoyo? Iidilesi ezingama-900000 zomntu ngamnye kukuvalwa kwe-RKN? =)
Umntu utshintshele kwisikimu kunye nesibuko sayo yonke i-traffic ye-backbone kwi-server yokucoca, ekufuneka ihlalutye yonke ukuhamba kwaye, ukuba kukho into embi efunyenweyo, thumela i-RST kumacala omabini (umthumeli kunye nommkeli).
Nangona kunjalo, okukhona itrafikhi ingaphezulu, kokukhona sisebenza kancinci esi sikimu. Ukuba kukho ukulibaziseka okuncinci ekuqhubeni, i-traffic ye-mirrored iya kubhabha nje ngokungabonakali, kwaye umboneleli uya kufumana ingxelo efanelekileyo.
Ababoneleli abangakumbi nangakumbi banyanzeleka ukuba bafakele iinkqubo zeDPI ezinemigangatho eyahlukeneyo yokuthembeka koohola bendlela.
Kunyaka okanye emibini edlulileyo ngokwamahemuhemu, phantse yonke iFSB yaqala ukufuna ukufakelwa kwangempela kwezixhobo (ngaphambili, uninzi lwababoneleli bebelawula ngemvume evela kwabasemagunyeni Isicwangciso seSORM - isicwangciso samanyathelo okusebenza xa kukho imfuneko yokufumana into kwenye indawo)
Ukongeza kwimali (engagqithisi ncam, kodwa zizigidi), i-SORM yayifuna iindlela ezininzi zokukhohlisa kunye nenethiwekhi.
- I-SORM kufuneka ibone iidilesi zomsebenzisi "ezingwevu" phambi kokuguqulelwa kwe-nat
- I-SORM inenani eliqingqiweyo lojongano lwenethiwekhi
Ke, ngokukodwa, kuye kwafuneka ukuba sakhe kwakhona isiqwenga se-kernel-ukuze siqokelele i-traffic yomsebenzisi kwiiseva zofikelelo kwindawo ethile kwindawo enye. Ukuze wenze isipili kwi-SORM ngamakhonkco amaninzi.
Oko kukuthi, yenziwe lula kakhulu, yaba (ekhohlo) vs yaba (ekunene):
Ngoku Uninzi lwababoneleli lukwafuna ukuphunyezwa kwe-SORM-3 - ebandakanya, phakathi kwezinye izinto, ukugawulwa kwe-nat kusasazo.
Ukwenzela ezi njongo, kuye kwafuneka ukuba songeze izixhobo ezahlukeneyo ze-NAT kulo mzobo ungasentla (kanye le nto kuxoxwe ngayo kwicandelo lokuqala). Ngaphezu koko, yongeza ngomyalelo othile: ekubeni i-SORM kufuneka "ibone" i-traffic ngaphambi kokuguqulela iidilesi, i-traffic kufuneka ihambe ngokungqongqo ngolu hlobo lulandelayo: abasebenzisi -> ukutshintsha, i-kernel -> iiseva zokufikelela -> SORM -> NAT -> ukutshintsha, i-kernel - > I-intanethi. Ukwenza oku, kuye kwafuneka ukuba "sijike" ukuhamba kwetrafikhi kwelinye icala ukufumana inzuzo, nayo kwakunzima kakhulu.
Isishwankathelo: kule minyaka ilishumi idlulileyo, uyilo olungundoqo lomnikezeli oqhelekileyo luye lwaba luninzi ngokuphindaphindiweyo, kwaye amanqaku angaphezulu angaphumeleli (zombini ngendlela yezixhobo kunye nendlela yokutshintsha imigca enye) anyuke kakhulu. Ngokwenyani, eyona mfuneko βyokubona yonke intoβ ithetha ukunciphisa le βnto yonkeβ kwindawo enye.
Ndicinga ukuba oku kunokwandiswa ngokucacileyo kumanyathelo akhoyo okulawula iRunet, ukuyikhusela, ukuzinzisa kunye nokuyiphucula :)
Kwaye iYarovaya isengaphambili.
umthombo: www.habr.com