Ungigqugquzele kulokhu okuthunyelwe .
Ngicaphuna lapha:
namuhla ngo-18:53
Ngijabule ngomhlinzeki namuhla. Kanye nokubuyekezwa kwesistimu yokuvimbela isayithi, u-mailer wakhe we-mail.ru uvinjelwe. Bengilokhu ngishayela usekelo lobuchwepheshe kusukela ekuseni, kodwa abakwazi ukwenza lutho. Umhlinzeki mncane, futhi ngokusobala abahlinzeki bezinga eliphezulu bayayivimba. Ngiphinde ngabona ukwehla kokuvulwa kwazo zonke izingosi, mhlawumbe bafake uhlobo oluthile lwe-DLP eyisigwegwe? Ngaphambilini bezingekho izinkinga ngokufinyelela. Ukucekelwa phansi kweRuNet kwenzeka phambi kwamehlo ami...
Iqiniso liwukuthi kubonakala sengathi singabahlinzeki abafanayo :)
Futhi ngempela, Ngicishe ngaqagela imbangela yezinkinga nge-mail.ru (nakuba senqaba ukukholelwa entweni enjalo isikhathi eside).
Okulandelayo kuzohlukaniswa izingxenye ezimbili:
- izizathu zezinkinga zethu zamanje nge-mail.ru kanye nesifiso esijabulisayo sokuzithola
- ubukhona be-ISP emaqinisweni anamuhla, ukuzinza kwe-RuNet ezimele.
Izinkinga zokufinyeleleka nge-mail.ru
O, yindaba ende impela.
Iqiniso liwukuthi ukuze sifeze izidingo zombuso (imininingwane eyengeziwe engxenyeni yesibili), sathenga, salungisa, futhi safaka ezinye izinto zokusebenza - kokubili ukuhlunga izinsiza ezingavunyelwe kanye nokusebenzisa. ababhalisile.
Esikhathini esidlule, ekugcineni sakha kabusha umgogodla wenethiwekhi ngendlela yokuthi bonke abantu ababhalisile badlule kule mishini ngendlela efanele.
Ezinsukwini ezimbalwa ezedlule savula ukuhlunga okungavunyelwe kuso (ngenkathi sishiya uhlelo oludala lusebenza) - konke kwakubonakala kuhamba kahle.
Okulandelayo, kancane kancane baqala ukunika amandla i-NAT kule mishini yezingxenye ezahlukahlukene zababhalisile. Ngokubukeka kwayo, konke nakho kwakubonakala kuhamba kahle.
Kodwa namuhla, njengoba sesinikeze i-NAT amandla emishini engxenyeni elandelayo yababhalisile, kusukela ekuseni kakhulu besibhekene nenani elihle lezikhalazo mayelana nokungatholakali noma ukutholakala kancane. nezinye izinsiza ze-Mail Ru Group.
Baqala ukuhlola: okuthile endaweni ethile ngezinye izikhathi, ngezikhathi ezithile ithumela ekuphenduleni izicelo ezitholakala kumanethiwekhi we-mail.ru kuphela. Ngaphezu kwalokho, ithumela i-TCP RST eyenziwe ngokungalungile (ngaphandle kwe-ACK), ngokusobala yokwenziwa. Lokhu bekubukeka kanje:
Ngokwemvelo, imicabango yokuqala yayimayelana nemishini emisha: i-DPI esabekayo, akukho ukwethemba kuyo, awukwazi ukuthi yini engayenza - phela, i-TCP RST iyinto evamile phakathi kwamathuluzi okuvimbela.
Ukucabanga Siphinde sabeka umbono wokuthi othile “ophakeme” uyahlunga, kodwa wavele wawulahla.
Okokuqala, sine-uplinks eyanele ngokwanele ukuze singahlupheki kanje :)
Okwesibili, sixhunywe eziningana eMoscow, kanye ne-traffic to mail.ru idlula kubo - futhi abanayo imithwalo yemfanelo noma esinye isisusa sokuhlunga ithrafikhi.
Ingxenye elandelayo yosuku yachithwa kulokho okuvame ukubizwa ngokuthi ubushamanism - kanye nomthengisi wezinto zokusebenza, esibabonga ngakho, abazange baphele amandla :)
- ukuhlunga kukhutshazwe ngokuphelele
- I-NAT ikhutshaziwe kusetshenziswa uhlelo olusha
- i-PC yokuhlola yafakwa echibini elihlukile elingalodwa
- Ikheli le-IP lishintshile
Ntambama, kwabelwa umshini we-virtual oxhunywe kunethiwekhi ngokohlelo lomsebenzisi ovamile, futhi abameleli bomthengisi banikezwa ukufinyelela kuwo kanye nemishini. I-shamanism iqhubekile :)
Ekugcineni, ummeleli womthengisi washo ngokuzethemba ukuthi i-hardware ayihlangene nhlobo nayo: ama-rsts avela endaweni ethile ephakeme.
UkubhalaKuleli qophelo, omunye angase athi: kodwa bekulula kakhulu ukuthatha ukulahla hhayi kwi-PC yokuhlola, kodwa kusukela kuthelawayeka ongaphezu kwe-DPI?
Cha, ngeshwa, ukuthatha indawo yokulahla (futhi ngisho nokwenza isibuko nje) 40+gbps akuyona neze into encane.
Ngemva kwalokhu, kusihlwa, kwakungekho lutho olwalungenziwa ngaphandle kokubuyela ekucabangeni kokuhlunga okungajwayelekile endaweni ethile ngenhla.
Ngibheke ukuthi iyiphi i-IX traffic eya kumanethiwekhi we-MRG manje edlula kuyo futhi ngavele ngakhansela izikhathi ze-bgp kuyo. Futhi bheka futhi bheka! - yonke into ngokushesha ibuyele kokujwayelekile 🙁
Ngakolunye uhlangothi, kuyihlazo ukuthi usuku lonke lwachithwa kufunwa inkinga, nakuba yaxazululwa ngemizuzu emihlanu.
Ngokolunye uhlangothi:
- enkumbulweni yami lokhu kuyinto engakaze yenzeke. Njengoba ngike ngabhala ngenhla - IX ngempela asikho isidingo sokuhlunga ithrafikhi yezokuthutha. Ngokuvamile banamakhulu ama-gigabits/terabits ngomzuzwana. Angikwazanga nje ukucabanga ngokungathi sína into enjengale kuze kube muva nje.
- ukuqondana kwezimo okuyinhlanhla emangalisayo: i-hardware entsha eyinkimbinkimbi engathenjwa ngokukhethekile futhi okungacaci ukuthi yini engalindelwa - eklanyelwe ngokukhethekile ukuvimbela izinsiza, kuhlanganise ne-TCP RSTs.
I-NOC yalokhu kushintshaniswa kwe-inthanethi okwamanje ibheka inkinga. Ngokusho kwabo (futhi ngiyabakholelwa), abanalo uhlelo lokuhlunga olufakwe ngokukhethekile. Kodwa, ngiyabonga mazulu, enye imfuno ayiseyona inkinga yethu :)
Lona bekuwumzamo omncane wokuzithethelela, ngicela uqonde futhi uthethelele :)
I-PS: Angisho ngamabomu umkhiqizi we-DPI/NAT noma i-IX (empeleni, anginazo ngisho nezikhalazo ezikhethekile ngabo, into esemqoka ukuqonda ukuthi bekuyini)
Okungokoqobo kwanamuhla (kanye nokwayizolo nokwangaphambi kwayizolo) ngokombono womhlinzeki we-inthanethi
Ngisebenzise amasonto okugcina ngokuphawulekayo ngakha kabusha umnyombo wenethiwekhi, ngenza inqwaba yezinto ezikhohlisayo "ngenzuzo", ngengozi yokuba nomthelela omkhulu ekuthungeni kwabasebenzisi bukhoma. Uma ucabangela imigomo, imiphumela kanye nemiphumela yakho konke lokhu, ngokokuziphatha konke kunzima kakhulu. Ikakhulukazi - ngiphinde ngilalele izinkulumo ezinhle mayelana nokuvikela ukuzinza kweRunet, ubukhosi, njll. njalo njalo.
Kulesi sigaba, ngizozama ukuchaza "ukuziphendukela kwemvelo" komgogodla wenethiwekhi ye-ISP evamile phakathi neminyaka eyishumi edlule.
Eminyakeni eyishumi edlule.
Kulezo zikhathi ezibusisekile, umnyombo wenethiwekhi yabahlinzeki ungase ube lula futhi uthembeke njengesiminya sethrafikhi:
Kulesi sithombe esenziwe lula kakhulu, azikho iziqu, izindandatho, umzila we-ip/mpls.
Ingqikithi yayo ukuthi ithrafikhi yabasebenzisi ekugcineni ifike ekushintsheni kwezinga le-kernel - ukusuka lapho eya khona , kusukela lapho, njengomthetho, ubuyela ekushintsheni okuyinhloko, bese "uphuma" - ngokusebenzisa isango elilodwa noma ngaphezulu emngceleni we-Intanethi.
Uhlelo olunjalo lulula kakhulu ukubhukha kokubili ku-L3 (umzila oguquguqukayo) kanye naku-L2 (MPLS).
Ungafaka i-N+1 yanoma yini: iziphakeli zokufinyelela, amaswishi, imingcele - futhi ngandlela thile uzigcinele ukuhluleka okuzenzakalelayo.
Ngemva kweminyaka embalwa Kwaba sobala kuwo wonke umuntu eRussia ukuthi kwakungenakwenzeka ukuphila ngale ndlela: kwakuphuthuma ukuvikela izingane ethonyeni elibi le-Intanethi.
Kube nesidingo esiphuthumayo sokuthola izindlela zokuhlunga ithrafikhi yabasebenzisi.
Kunezindlela ezahlukene lapha.
Esimeni esingesihle kakhulu, kukhona okufakwayo “esigebeni”: phakathi kwethrafikhi yomsebenzisi ne-inthanethi. Ithrafikhi edlula kule “nto” iyahlaziywa futhi, isibonelo, iphakethe lomgunyathi elinokuqondisa kabusha lithunyelwa kobhalisile.
Esimeni esingcono kancane - uma umthamo wethrafikhi uvumela - ungenza iqhinga elincane ngezindlebe zakho: thumela ukuze kuhlungwe ithrafikhi kuphela evela kubasebenzisi kuphela kulawo makheli adinga ukuhlungwa (ukwenza lokhu, ungathatha amakheli e-IP. ecaciswe lapho kurejista, noma futhi xazulula izizinda ezikhona kurejista).
Ngesinye isikhathi, ngenxa yalezi zinhloso, ngabhala elula - nakuba ngingalokothi ngimbize kanjalo. Ilula kakhulu futhi ayikhiqizi kakhulu - nokho-ke, isivumele kanye nenqwaba (uma kungenjalo amakhulu) abanye abahlinzeki ukuthi bangakwazi ukukhipha izigidi ngokushesha kumasistimu e-DPI yezimboni, kodwa banikeze iminyaka eminingana eyengeziwe yesikhathi.
Ngendlela, mayelana ne-DPI yangaleso sikhathi neyamanjeNgendlela, abaningi abathenga izinhlelo ze-DPI ezitholakala emakethe ngaleso sikhathi base bezilahlile. Awu, ayakhelwe lokhu: amakhulu ezinkulungwane zamakheli, amashumi ezinkulungwane zama-URL.
Futhi ngesikhathi esifanayo, abakhiqizi basekhaya bakhuphuke kakhulu kule makethe. Angikhulumi ngengxenye ye-hardware - yonke into icacile kuwo wonke umuntu lapha, kodwa isofthiwe - into eyinhloko i-DPI enayo - mhlawumbe namuhla, uma ingeyona ethuthuke kakhulu emhlabeni, ngakho-ke ngokuqinisekile a) ithuthuka ngokugxuma nemingcele, futhi b) ngentengo yomkhiqizo ofakwe ebhokisini - ongenakuqhathaniswa nezimbangi zangaphandle.
Ngingathanda ukuziqhenya, kodwa ukudabuka kancane =)
Manje konke kwakubukeka kanje:
Eminyakeni embalwa eyedlule wonke umuntu wayesenabahloli bamabhuku; Kwakukhona izinsiza ezengeziwe kurejista. Kweminye imishini emidala (isibonelo, i-Cisco 7600), uhlelo “lokuhlunga ohlangothini” luvele lungasebenzi: inani lemizila kumapulatifomu angama-76 likhawulelwe kokuthile okufana nezinkulungwane ezingamakhulu ayisishiyagalolunye, kuyilapho inani lemizila ye-IPv4 iyodwa namuhla isondela ku-800. inkulungwane. Futhi uma futhi kuyi-ipv6... Futhi futhi... yimalini lapho? 900000 amakheli ngabanye ekuvinjelweni kwe-RKN? =)
Othile ushintshele kusikimu esinesibuko sayo yonke ithrafikhi yomgogodla kuya kuseva yokuhlunga, okufanele ihlaziye konke ukugeleza futhi, uma kutholakala okuthile okubi, thumela i-RST kuzo zombili izinkomba (umthumeli nomamukeli).
Nokho, uma ithrafikhi iyanda, lolu hlelo lusebenza kancane. Uma kukhona ukubambezeleka okuncane ekucutshungulweni, ithrafikhi eyizibuko izomane indize ingabonakali, futhi umhlinzeki uzothola umbiko omuhle.
Abahlinzeki abaningi ngokwengeziwe bayaphoqeleka ukuthi bafake izinhlelo ze-DPI zamazinga ahlukahlukene okuthembeka kuyo yonke imigwaqo emikhulu.
Unyaka noma emibili edlule ngokusho kwamahemuhemu, cishe yonke i-FSB yaqala ukufuna ukufakwa kwangempela kwemishini (phambilini, abahlinzeki abaningi babephethe ngemvume evela kuziphathimandla Uhlelo lwe-SORM - uhlelo lwezinyathelo zokusebenza uma kunesidingo sokuthola okuthile endaweni ethile)
Ngokungeziwe emalini (hhayi emba eqolo, kodwa namanje izigidi), i-SORM idinga ukukhohlisa okuningi ngenethiwekhi.
- I-SORM idinga ukubona amakheli omsebenzisi “ampunga” ngaphambi kokuhumusha kwe-nat
- I-SORM inenani elilinganiselwe lezixhumi ezibonakalayo zenethiwekhi
Ngakho-ke, ikakhulukazi, kwakudingeka sakhe kabusha kakhulu ucezu lwe-kernel - ukuze nje siqoqe ithrafikhi yabasebenzisi kumaseva okufinyelela endaweni ethile endaweni eyodwa. Ukuze uyifanise ku-SORM ngezixhumanisi ezimbalwa.
Okusho ukuthi, kwenziwe lula kakhulu, kwaba (kwesokunxele) vs kwaba (kwesokudla):
Manje Abahlinzeki abaningi futhi badinga ukuqaliswa kwe-SORM-3 - okuhlanganisa, phakathi kwezinye izinto, ukungena kokusakazwa kwe-nat.
Ngalezi zinhloso, kudingeke ukuthi sengeze amathuluzi ahlukene e-NAT kumdwebo ongenhla (lokho okuxoxwe ngakho engxenyeni yokuqala). Ngaphezu kwalokho, engeza ngokulandelana okuthile: njengoba i-SORM kufanele "ibone" ithrafikhi ngaphambi kokuhumusha amakheli, ithrafikhi kufanele ihambe kanje: abasebenzisi -> ukushintsha, i-kernel -> amaseva okufinyelela -> SORM -> NAT -> switching, kernel - > I-inthanethi. Ukuze senze lokhu, kwakudingeka “sijike” ngokwezwi nezwi ukugeleza kwethrafikhi ngakolunye uhlangothi ukuze sithole inzuzo, nakho okwakunzima kakhulu.
Kafushane: phakathi neminyaka eyishumi edlule, umklamo oyinhloko womhlinzeki ojwayelekile uye waba yinkimbinkimbi izikhathi eziningi, futhi amaphuzu engeziwe okuhluleka (kokubili ngendlela yemishini kanye nesimo semigqa yokushintsha eyodwa) akhuphuke kakhulu. Empeleni, yona kanye imfuneko “yokubona yonke into” isho ukunciphisa lokhu “konke” kube iphuzu elilodwa.
Ngicabanga ukuthi lokhu kungavezwa ngokusobala ezinhlelweni zamanje zokuphatha i-Runet, ivikeleke, iqiniswe futhi iyithuthukise :)
Futhi i-Yarovaya isengaphambili.
Source: www.habr.com