"Sisungule ukuxhumana ngocingo phakathi kwethu nabafana base-SRI...", u-Kleinrock... uthe engxoxweni:
“Sibhale u-L futhi sabuza ocingweni, “Uyayibona i-L?”
“Yebo, siyayibona iL,” kwafika impendulo.
“Sabhala u-O, sabuza, “Uyayibona i-O.”
"Yebo, sibona i-O."
"Sibe sesibhala u-G, uhlelo lwaphahlazeka"...Nokho uguquko lwase luqalile...
Ukuqala kwe-inthanethi.
Sawubona wonke umuntu!
Igama lami ngingu-Alexander, ngingunjiniyela wenethiwekhi e-Linxdatacenter. Esihlokweni sanamuhla sizokhuluma ngamaphoyinti okushintshaniswa kwethrafikhi (Internet Exchange Points, IXP): yini eyandulela ukubukeka kwabo, yimiphi imisebenzi abayixazululayo nokuthi yakhiwe kanjani. Futhi kulesi sihloko ngizobonisa isimiso sokusebenza kwe-IXP usebenzisa isiteji se-EVE-NG kanye nomzila wesofthiwe ye-BIRD, ukuze ube nokuqonda ukuthi isebenza kanjani "ngaphansi kwe-hood".
Umlando omncane
Uma ubheka , khona-ke ungabona ukuthi ukukhula okusheshayo kwenani lezindawo zokushintshanisa izimoto kwaqala ngo-1993. Lokhu kungenxa yokuthi iningi lethrafikhi yama-telecom opharetha ayekhona ngaleso sikhathi ayedlula kunethiwekhi yomgogodla wase-US. Ngakho-ke, isibonelo, lapho ithrafikhi isuka ku-opharetha eFrance iya ku-opharetha eJalimane, yaqala yasuka eFrance iya e-USA, bese isuka e-USA iya eJalimane. Inethiwekhi yomgogodla kuleli cala isebenze njengezokuthutha phakathi kweFrance neJalimane. Ngisho nethrafikhi ezweni elilodwa ngokuvamile ayidluli ngokuqondile, kodwa ngamanethiwekhi omgogodla wabasebenzi baseMelika.
Lesi simo asithintanga nje kuphela izindleko zokulethwa kwethrafikhi yezokuthutha, kodwa nekhwalithi yamashaneli nokubambezeleka. Inani labasebenzisi be-inthanethi landa, kwavela opharetha abasha, umthamo wethrafikhi wanda, futhi i-inthanethi yavuthwa. Abasebenzi emhlabeni wonke baqala ukuqaphela ukuthi indlela enengqondo yokuhlela ukusebenzisana phakathi kwama-opharetha yayidingeka. “Kungani mina, u-opharetha A, kufanele ngikhokhele uhambo olunqamula kwelinye izwe ukuze ngilethe ithrafikhi ku-opharetha B, otholakala kumgwaqo olandelayo?” Lona cishe umbuzo ababezibuza wona ama-telecom opharetha ngaleso sikhathi. Ngakho-ke, amaphuzu okushintshaniswa kwethrafikhi aqala ukuvela ezingxenyeni ezihlukene zomhlaba ezindaweni zokuhlushwa zabaqhubi:
- 1994 - I-LINX eLondon,
- 1995 - DE-CIX eFrankfurt,
- 1995 - MSK-IX, eMoscow, njll.
I-inthanethi nezinsuku zethu
Ngokomqondo, ukwakheka kwe-inthanethi yesimanje kuqukethe amasistimu amaningi azimele (AS) nokuxhumana okuningi phakathi kwawo, kokubili ngokomzimba nokunengqondo, okunquma indlela yethrafikhi esuka ku-AS eyodwa iye kwenye.
Ama-AS ngokuvamile ama-telecom opharetha, abahlinzeki be-inthanethi, ama-CDN, izikhungo zedatha, nezinkampani zengxenye yebhizinisi. Ama-AS ahlela ukuxhumana okunengqondo (ukubheka) phakathi kwawo, ngokuvamile kusetshenziswa iphrothokholi ye-BGP.
Ukuthi amasistimu azimele ahlela kanjani lokhu kuxhumana kunqunywa izinto ezimbalwa:
- ngokwendawo,
- ezomnotho,
- ezepolitiki,
- izivumelwano nezintshisekelo ezifanayo phakathi kwabanikazi be-AS,
- nokunye.
Yiqiniso, lolu hlelo lunesakhiwo esithile kanye nokuhlelwa kwezikhundla. Ngakho-ke, ama-opharetha ahlukaniswe abe yi-tier-1, tier-2 kanye ne-tier-3, futhi uma amaklayenti omhlinzeki we-inthanethi wendawo (i-tier-3), njengomthetho, abasebenzisi abajwayelekile, ngakho-ke, isibonelo, i-tier-1 ama-opharetha ezinga amaklayenti angabanye opharetha. Ama-opharetha we-Tier-3 ahlanganisa ithrafikhi yababhalisi babo, ama-opharetha e-telecom we-tier-2, nawo, ahlanganisa ithrafikhi yama-opharetha esigaba-3, kanye ne-tier-1 - yonke ithrafikhi ye-inthanethi.
Ngokohlelo ingamelwa kanje:
Lesi sithombe sibonisa ukuthi ithrafikhi ihlanganisiwe ukusuka phansi kuye phezulu, i.e. kusukela kubasebenzisi bokugcina ukuya kubaqhubi be-tier-1. Kukhona nokushintshisana okuvundlile kwethrafikhi phakathi kwama-AS acishe alingane namanye.
Ingxenye ebalulekile futhi ngesikhathi esifanayo ukungasebenzi kahle kwalolu hlelo ukudideka okuthile kokuxhumana phakathi kwezinhlelo ezizimele eziseduze nomsebenzisi wokugcina, ngaphakathi kwendawo. Cabangela isithombe esingezansi:
Ake sicabange ukuthi edolobheni elikhulu kukhona ama-telecom opharetha angu-5, abheka phakathi kwawo, ngenxa yesizathu esisodwa noma esinye, ahlelwe njengoba kuboniswe ngenhla.
Uma umsebenzisi uPetya, exhunywe ku-Go ISP, efuna ukufinyelela kuseva exhunywe kumhlinzeki we-ASM, khona-ke ithrafikhi phakathi kwabo izophoqeleka ukuthi idlule kumasistimu azimele ayi-5. Lokhu kwandisa ukubambezeleka ngoba inombolo yamadivayisi enethiwekhi lapho ithrafikhi izohamba khona inyuka, kanye nevolumu yethrafikhi yezokuthutha kumasistimu azimele phakathi kwe-Go ne-ASM.
Ungalehlisa kanjani inani lama-AS ezokuthutha abantu abaphoqeleka ukuba badlule kuwo? Kulungile - indawo yokushintshisana ngethrafikhi.
Namuhla, ukuvela kwama-IXP amasha kuqhutshwa izidingo ezifanayo njengasekuqaleni kweminyaka engu-90-2000, kuphela ngezinga elincane, ekuphenduleni inani elikhulayo labasebenzisi be-telecom, abasebenzisi kanye nethrafikhi, inani elikhulayo lokuqukethwe okukhiqizwa amanethiwekhi e-CDN. kanye nezikhungo zedatha.
Liyini iphuzu lokushintshisana?
Iphoyinti lokushintshisana ngethrafikhi indawo enengqalasizinda yenethiwekhi ekhethekile lapho ababambiqhaza abathanda ukushintshana kwethrafikhi behlela ukubukana. Abahlanganyeli abakhulu bamaphuzu okushintshaniswa kwethrafikhi: opharetha be-telecom, abahlinzeki be-inthanethi, abahlinzeki bokuqukethwe nezikhungo zedatha. Ezindaweni zokushintshana kwethrafikhi, ababambiqhaza baxhumane bodwa. Lokhu kukuvumela ukuthi uxazulule izinkinga ezilandelayo:
- nciphisa ukubambezeleka,
- ukunciphisa inani lethrafikhi yezokuthutha,
- thuthukisa umzila phakathi kwe-AS.
Uma kucatshangelwa ukuthi ama-IXP akhona emadolobheni amaningi amakhulu emhlabeni jikelele, konke lokhu kunomphumela onenzuzo ku-inthanethi iyonke.
Uma isimo esingenhla ngePetya sixazululwa kusetshenziswa i-IXP, kuzovela into enjengale:
Isebenza kanjani indawo yokushintshisana ngethrafikhi?
Njengomthetho, i-IXP iyi-AS ehlukile enebhlogo yayo yamakheli omphakathi e-IPv4/IPv6.
Inethiwekhi ye-IXP ngokuvamile iqukethe isizinda se-L2 esiqhubekayo. Kwesinye isikhathi lokhu kumane kuyi-VLAN ebamba wonke amaklayenti e-IXP. Uma kukhulunywa ngama-IXP amakhulu, asabalaliswe ngokwendawo, ubuchwepheshe obufana ne-MPLS, i-VXLAN, njll. bungasetshenziswa ukuhlela isizinda se-L2.
Izingxenye ze-IXP
- I-SKS. Akukho okungavamile lapha: ama-racks, ama-optical cross-connects, ama-patch panel.
- Ukushintsha - isisekelo se-IXP. Imbobo yokushintsha indawo yokungena kunethiwekhi ye-IXP. Amaswishi nawo enza ingxenye yemisebenzi yezokuphepha - ahlunga ithrafikhi engafanele okungafanele ibe khona kunethiwekhi ye-IXP. Njengomthetho, ukushintshwa kukhethwa ngokusekelwe ezidingweni zokusebenza - ukwethembeka, isivinini esisekelwe echwebeni, izici zokuphepha, ukusekelwa kwe-sFlow, njll.
- Iseva yomzila (RS) – ingxenye ebalulekile nedingekayo yanoma iyiphi indawo yesimanje yokushintshisana ngethrafikhi. Umgomo wokusebenza ufana kakhulu nesibonisi somzila ku-iBGP noma umzila oqokiwe ku-OSPF futhi uxazulula izinkinga ezifanayo. Njengoba inani labahlanganyeli endaweni yokushintshisana yethrafikhi likhula, inani lamaseshini e-BGP umhlanganyeli ngamunye adinga ukulisekela liyakhula, i.e. lokhu kukhumbuza i-topology yakudala enemeshi egcwele ku-iBGP. I-RS ixazulula inkinga ngendlela elandelayo: isungula iseshini ye-BGP nomhlanganyeli ngamunye we-IXP onentshisekelo, futhi lowo mbambiqhaza uba iklayenti le-RS. Ithola isibuyekezo se-BGP kwelinye lamakhasimende ayo, i-RS ithumela lesi sibuyekezo kuwo wonke amanye amakhasimende ayo, vele, ngaphandle kwaleyo okutholwe kuyo lesi sibuyekezo. Ngakho-ke, i-RS iqeda isidingo sokusungula i-full-mesh phakathi kwawo wonke amalungu e-IXP futhi ixazulule kahle inkinga yokuqina. Kuyaphawuleka ukuthi iseva yomzila idlulisela ngokusobala imizila isuka ku-AS eyodwa iye kwenye ngaphandle kokwenza izinguquko kuzimfanelo ezidluliselwa yi-BGP, ngokwesibonelo, ayingezi inombolo ku-AS yayo ku-AS-path. Futhi ku-RS kukhona ukuhlunga okuyisisekelo kwemizila: isibonelo, i-RS ayiwamukeli amanethiwekhi we-Martians kanye neziqalo ze-IXP ngokwayo.
Irutha yesofthiwe yomthombo ovulekile, i-BIRD (i-daemon yomzila we-inthanethi yezinyoni), ivamise ukusetshenziswa njengesixazululo seseva yomzila. Okuhle ngayo ukuthi imahhala, isetshenziswa ngokushesha ekusabalaliseni okuningi kwe-Linux, inendlela evumelana nezimo yokusetha izinqubomgomo zomzila/zokuhlunga, futhi ayifuni ngezinsiza zekhompyutha. Futhi, i-hardware/irutha ebonakalayo evela ku-Cisco, Juniper, njll. ingakhethwa njenge-RS.
- Ukuphepha. Njengoba inethiwekhi ye-IXP ihlanganisa inani elikhulu lama-AS, inqubomgomo yokuphepha okufanele ilandelwe yibo bonke ababambiqhaza kufanele ibhalwe kahle. Ngokuvamile, zonke izindlela ezifanayo ezisebenzayo lapho kusungulwa indawo eseduze ye-BGP phakathi kontanga ababili abahlukene be-BGP ngaphandle kwe-IXP bayasebenza lapha, kanye nezinye izici zokuphepha ezengeziwe.
Isibonelo, kuwumkhuba omuhle ukuvumela ithrafikhi kuphela ekhelini elithile le-mac lomhlanganyeli we-IXP, okuxoxiswane ngakho kusenesikhathi. Ukwenqaba ithrafikhi ngezinkambu ze-ethertype ngaphandle kuka-0x0800(IPv4), 0x08dd(IPv6), 0x0806(ARP); lokhu kwenziwa ukuze kuhlungwe ithrafikhi engahlangene nokubuka kwe-BGP. Izindlela ezifana ne-GTSM, RPKI, njll. nazo zingasetshenziswa.
Mhlawumbe okungenhla yizingxenye eziyinhloko zanoma iyiphi i-IXP, kungakhathaliseki ukuthi singakanani. Kunjalo, ama-IXP amakhulu angase abe nobuchwepheshe obengeziwe nezixazululo endaweni.
Kwenzeka ukuthi i-IXP iphinde inikeze ababambiqhaza bayo ngezinsizakalo ezengeziwe:
- ibekwe kuseva ye-IXP TLD DNS,
- faka amaseva e-Hardware NTP, okuvumela ababambiqhaza ukuthi bavumelanise isikhathi ngokunembile,
- hlinzeka ngokuvikeleka ekuhlaselweni kwe-DDoS, njll.
Ukuthi isebenza kanjani
Ake sibheke isimiso sokusebenza kwendawo yokushintshisana ngethrafikhi sisebenzisa isibonelo se-IXP elula, eyenziwe kusetshenziswa i-EVE-NG, bese sicabangela ukusethwa okuyisisekelo kwerutha yesoftware ye-BIRD. Ukwenza umdwebo ube lula, sizoshiya izinto ezibalulekile njengokuphindaphinda nokubekezelela amaphutha.
I-topology yenethiwekhi iboniswa esithombeni esingezansi.
Ake sicabange ukuthi silawula indawo encane yokushintshisana futhi sinikeze izinketho ezilandelayo zokubuka:
- ukubuka umphakathi,
- ukubuka kwangasese,
- ukubuka ngeseva yomzila.
Inombolo yethu ye-AS ngu-555, siphethe ibhulokhi lamakheli e-IPv4 - 50.50.50.0/24, lapho sikhipha khona amakheli e-IP kulabo abafuna ukuxhuma kunethiwekhi yethu.
50.50.50.254 - Ikheli le-IP elilungiselelwe kusixhumi esibonakalayo seseva yomzila, ngaleli klayenti le-IP lizosungula iseshini ye-BGP uma kwenzeka ukubuka nge-RS.
Futhi, ngokulunguza nge-RS, senze inqubomgomo elula yomzila esekelwe kumphakathi we-BGP, ovumela ababambiqhaza be-IXP ukuthi balawule ukuthi bathunyelwa kubani nokuthi yimiphi imizila:
BGP umphakathi
Incazelo
LOCAL_AS:PEER_AS
Thumela iziqalo kuphela ku-PEER_AS
LOCAL_AS:IXP_AS
Dlulisela iziqalo kubo bonke ababambi qhaza be-IXP
Amaklayenti angu-3 afuna ukuxhuma ku-IXP yethu nokushintshanisa ithrafikhi; Ake sithi laba abahlinzeki be-inthanethi. Bonke bafuna ukuhlela ukubuka ngeseva yomzila. Ngezansi umdwebo onemingcele yokuxhumeka kweklayenti:
Ikhasimende
Inombolo ye-AS yekhasimende
Iziqalo ezikhangisiwe zeklayenti
Ikheli lasesizindeni se-inthanethi likhishelwe iklayenti ukuze lixhume ku-IXP
I-ISP #1
NJENGO-100
1.1.0.0/16
50.50.50.10/24
I-ISP #2
NJENGO-200
2.2.0.0/16
50.50.50.20/24
I-ISP #3
NJENGO-300
3.3.0.0/16
50.50.50.30/24
Ukusethwa okuyisisekelo kwe-BGP kumzila weklayenti:
router bgp 100
no bgp enforce-first-as
bgp log-neighbor-changes
neighbor 50.50.50.254 remote-as 555
address-family ipv4
network 1.1.0.0 mask 255.255.0.0
neighbor 50.50.50.254 activate
neighbor 50.50.50.254 send-community both
neighbor 50.50.50.254 soft-reconfiguration inbound
neighbor 50.50.50.254 route-map ixp-out out
exit-address-family
ip prefix-list as100-prefixes seq 5 permit 1.1.0.0/16
route-map bgp-out permit 10
match ip address prefix-list as100-prefixes
set community 555:555
Kuhle ukuqaphela ukuthi akukho bgp enforce-first-as setting lapha. Ngokuzenzakalelayo, i-BGP idinga ukuthi indlela yokubuyekezwa kwe-BGP etholiwe iqukethe njengenombolo ye-bgp yontanga okwatholwa kuyo isibuyekezo. Kodwa njengoba iseva yomzila ingenzi izinguquko ku-as-path, inombolo yayo ngeke ibe ku-as-path futhi isibuyekezo sizolahlwa. Lesi silungiselelo sisetshenziselwa ukwenza irutha indibe lo mthetho.
Siyabona futhi ukuthi iklayenti limise i-bgp community 555:555 kulesi siqalo, okusho ukuthi ngokwenqubomgomo yethu ikhasimende lifuna ukukhangisa lesi siqalo kubo bonke abanye ababambi qhaza.
Kwamanye amarutha amaklayenti, izilungiselelo zizofana, ngaphandle kwamapharamitha awo ahlukile.
Isibonelo sokucushwa kwe-BIRD:
define ixp_as = 555;
define ixp_prefixes = [ 50.50.50.0/24+ ];
template bgp RS_CLIENT {
local as ixp_as;
rs client;
}
Okulandelayo kuchaza isihlungi esingazamukeli iziqalo ze-martians, kanye neziqalo ze-IXP ngokwayo:
function catch_martians_and_ixp()
prefix set martians;
prefix set ixp_prefixes;
{
martians = [
0.0.0.0/8+,
10.0.0.0/8+,
100.64.0.0/10+,
127.0.0.0/8+,
169.254.0.0/16+,
172.16.0.0/12+,
192.0.0.0/24+,
192.0.2.0/24+,
192.168.0.0/16+,
198.18.0.0/15+,
198.51.100.0/24+,
203.0.113.0/24+,
224.0.0.0/4+,
240.0.0.0/4+ ];
if net ~ martians || net ~ ixp_prefixes then return false;
return true;
}
Lo msebenzi usebenzisa inqubomgomo yomzila esiyichaze ekuqaleni.
function bgp_ixp_policy(int peer_as)
{
if (ixp_as, ixp_as) ~ bgp_community then return true;
if (ixp_as, peer_as) ~ bgp_community then return true;
return false;
}
filter reject_martians_and_ixp
{
if catch_martians_and_ixp() then reject;
if ( net ~ [0.0.0.0/0{25,32} ] ) then {
reject;
}
accept;
}
Silungiselela ukubuka, sisebenzise izihlungi nezinqubomgomo ezifanele.
protocol as_100 from RS_CLIENT {
neighbor 50.50.50.10 as 100;
ipv4 {
export where bgp_ixp_policy(100);
import filter reject_martians_and_ixp;
}
}
protocol as_200 from RS_CLIENT {
neighbor 50.50.50.20 as 200;
ipv4 {
export where bgp_ixp_policy(200);
import filter reject_martians_and_ixp;
}
}
protocol as_300 from RS_CLIENT {
neighbor 50.50.50.30 as 300;
ipv4 {
export where bgp_ixp_policy(300);
import filter reject_martians_and_ixp;
}
}
Kuyaphawuleka ukuthi kuseva yomzila kuwumkhuba omuhle ukubeka imizila esuka kontanga abahlukene iye kuma-RIB ahlukene. INYONI ikuvumela ukuthi wenze lokhu. Esibonelweni sethu, ukuze kube lula, zonke izibuyekezo ezitholwe kuwo wonke amaklayenti zengezwa ku-RIB eyodwa evamile.
Ngakho, ake sihlole esinakho.
Kuseva yomzila sibona ukuthi iseshini ye-BGP isisungulwe nawo womathathu amaklayenti:
Siyabona ukuthi sithola iziqalo kuwo wonke amakhasimende:
Ku-router njenge-100, sibona ukuthi uma kuneseshini eyodwa ye-BGP neseva yomzila, sithola iziqalo kusuka kokubili njengo-200 futhi njengo-300, kuyilapho izimfanelo ze-BGP zingashintshile, njengokungathi ukubuka phakathi kwamaklayenti kwenziwa ngokuqondile:
Ngakho-ke, siyabona ukuthi ukuba khona kweseva yomzila kwenza kube lula kakhulu inhlangano yokubuka ku-IXP.
Ngethemba ukuthi lokhu kuboniswa kukusize uqonde kangcono ukuthi ama-IXPs asebenza kanjani nokuthi iseva yomzila isebenza kanjani ku-IXP.
I-Linxdatacenter IX
E-Linxdatacenter, sakhe i-IXP yethu ngokusekelwe kungqalasizinda ebekezelela amaphutha yokushintsha okungu-2 namaseva emizila emi-2. I-IXP yethu manje isebenza kumodi yokuhlola, futhi simema wonke umuntu ukuthi axhume ku-Linxdatacenter IX futhi abambe iqhaza ekuhloleni. Lapho uxhumekile, uzonikezwa imbobo ene-bandwidth engu-1 Gbit/s, ikhono lokulunguza eziphakelini zomzila wethu, kanye nokufinyelela ku-akhawunti yakho yomuntu siqu yengosi ye-IX, etholakala ku- .
Bhala amazwana noma imilayezo eyimfihlo ukuze uthole ukufinyelela ekuhlolweni.
isiphetho
Amaphuzu okushintshaniswa kwethrafikhi avele ekuqaleni kwe-inthanethi njengethuluzi lokuxazulula inkinga yokugeleza kwethrafikhi phakathi kwabaqhubi bezingcingo. Manje, ngokufika kwezinsizakalo ezintsha zomhlaba wonke kanye nokwanda kwenani lethrafikhi ye-CDN, amaphuzu okushintshanisa ayaqhubeka nokuthuthukisa ukusebenza kwenethiwekhi yomhlaba wonke. Ukwenyuka kwenani lama-IXP emhlabeni kuzuzisa kokubili umsebenzisi wokugcina wesevisi kanye nabaqhubi bezingcingo, ama-opharetha okuqukethwe, njll. Kubahlanganyeli be-IXP, inzuzo iboniswa ekwehliseni izindleko zokuhlela ukubuka kwangaphandle, ukunciphisa inani lethrafikhi okumele bakhokhelwe opharetha bezinga eliphezulu, ukuthuthukisa umzila, kanye nekhono lokuba nokuxhumana okuqondile nabaqhubi bokuqukethwe.
Izixhumanisi eziwusizo
- Buka imephu yendawo yamaphoyinti okushintshaniswa kwethrafikhi:
- Buka izibalo ezinemininingwane ngokubuka kwe-BGP, okuhlanganisa nokuba khona ku-IXP:
Source: www.habr.com