Slashdot Mirror
OpenBSD Project Announces OpenBGPD
44BSD writes "As noted at undeadly, the OpenBSD Project has announced an BSD-licensed implementation of the Border Gateway Protocol, BGP. Project details, design goals, documentation, and more are at the project web site. BGP is documented in RFC 1771.
Lucky for Cisco, BSD is dying..."
Lucky for everyone else, a BSD license will make it easy to implement in every other router box and make it cheap. Or so I hope.
No sig
Unfortuantely, even the fanciest boxes running BSD can't complete on a pure throughput basis with good Cisco routers. An twenty-four port gigabit Cisco router has a 48 Gbps backplane, but a PC running BSD will be limited by its bus--the fastest servers have a 64 bit 133 MHz bus with PCI-X. That's 8 Gbps. And you can't put more than a handful of network cards in even the largest BSD-capable server--there simply aren't the expansion slots. So this really couldn't be used for core Internet routers.
And, of course, you don't need to be running BGP on small networks--it's only when you've got a number of large networks joined together, at a chokepoint, where you need to use BGP to properly route traffic. So there's no point to it for small businesses with who might be trying to save money over a Cisco router--they don't need BRP.
I wonder, then: where is the market for this....?
---
Yesterday, I tried to compile OpenBGPD on Linux. Unfortunately, there is no "portable version" available (unlike OpenSSH), and the source code contains a lot of #includes and library function that are specific to (Open)BSD. That obviously doesn't help portability, and I'm a bit sad that the OpenBSD project doesn't go the portable way and makes its userland as easily compilable on other Unices as possible.
A monkey is doing the real work for me.
Just because it's BSD doesn't mean that it's going to be limited to PC Architecture.
This project could give a boost to manufacturers of competing kit by having a code base that it doesn't have to start from scratch and can be run on a minimal BSD distribution.
There's nothing to stop A.N.Other manufacturer creating their own arcitecture and running this ontop.
Matt Thompson - Actuality - Insert product here.
Many, many sites use BGP at less that 8Gbps aggregate throughput - hell I know of several sites that still run partial feeds over ISDN BRI. I just don't see where you get the idea that BGP is only for core routers.
>I wonder, then: where is the market for this....?
Perhaps when hackers start using the vulnerabilities in the BGP protocol to attack the Internet and those vulnerabilities are not found to be present or are fixed faster in the open BSD code, that'll justify the project's existence.
I mean we've already seen that open-source has fewer vulnerabilites than closed-source in general (Think I.I.S. vs Apache), so this will just become another way to secure the Internet.
I don't know the meaning of the word 'don't' - J
the openbsd team has branched off quite a few projects where they saw the security and/or license was insufficient and needed to be redone.
OpenSSH, who's box doesn't have this?
OpenNTPD, a network time protocol daemon and server, recently released.
OpenBGPD, the border gateway protocol daemon.
They were pioneers in the use of stack protection software on the i386 platform (kernel and compiler), as well as privilage seperated daemons (it's in your sshd now), and randomized library linking locations.
(i think i'm missing a few, anyone care to fill them in?)
they have implemented (a far better implementation over the old one that they didn't write) their i.p. filter, PF (which has now made it into netbsd, freebsd, and hopefully linux soon enough). this includes INSANE amounts of configurability options, with integrated routing and traffic shaping.
many people grumble about how the project is run and its priorities. but we all benefit from their efforts. i think i'm going to buy a cd even though i am not an openbsd user. these sales help keep these projects going.
It appears that a lot of good stuff keeps coming out of OpenBSD. They truly focus on the things that matter (for them). Not gadgets or eye candy, but clean, solid, secure network implementations. Kudos again!
Please correct me if I got my facts wrong.
Hasn't Zebra been succeeded by Quagga? [quagga.net]
I ask out of curiosity more than anything else - Debian unstable and testing use Quagga instead of Zebra...
Right now, you're absolutely right: doing this in a PC would cost as much as or more than a dedicated solution, especially when you factor in the infamous TCO. And as you say later, small networks have no need for this sort of thing. But again, in a few years it may be affordable to do this on commodity hardware. Once the enormous cost of big iron from Cisco et al. comes down, I think a lot of those small networks might just find needs. Especially if we get into the much-touted Internet of the Future where everything has an IP address.
Yes, and a Boeing 747 can carry a hell of a lot more passengers than a Citroen CX. Guess which one is most cost-effective and works best for a 40-mile commute?
I agree with you on throughput limitations. But lets look at some facts. The second biggest router company manages there rotuers with a BSD kernel (Juniper) and runs the routing bits in that kernel (with hooks to move everything into hardware once the desision is made) PC's make good general purpose routing procs they make poor packet shufflers if you take a felable platform with a lot of headroom you can make a great administrative box and if it's coupled with a good hardware asic to push packets it can scale.
Now small networks need BGP as well. It's the best way to have multiple redundant links to providers while running servers beyond mail. I have a small pile of clients some as small as a couple T1's running BGP between two providers.
No sir I dont like it.
Too bad that the BGP part of Quagga is actually working well and the OSPF part is dieing like hell. So personally I hope for an OpenOSPF too.
But since nobody is mentioning it... I thought GateD was a BGP routing thingie too, but I am not sure of that....
Support Eachother, Copy Dutch Property!
Another thing to be mindful of are Linuxisms, like /bin/sh being a link to /bin/bash; and, for that matter, all programs being in either /bin or /usr/bin. Everyone except Linux, more or less, puts stuff in /usr/local or /opt or God knows where else. So when writing scripts, set the interpreter as the actual interpreter: if you're using bashisms in your script, don't set the interpreter as /bin/sh. Don't put in any paths at all to the interpreter, either. Do #!/usr/bin/env bash instead, which will invoke the first bash on the caller's command line. That way you don't have to care if bash is in /bin/bash, /usr/bin/bash, /usr/local/bin/bash, or /opt/bin/bash. Or, in the case of qmail, /var/bash/bin/bash.
And that improves internet speeds for everyone. So we all win. Kudos to the BSD team :)
For the love of God, please learn to spell "ridiculous"!!!
there's always 8x PCI-E for transfering lots of data. That'd give you 20 Gbit in each direction. 16x PCI-E NICs and even 32x PCI-E NICs should be available in a not so distant future.
Any sufficiently advanced technology is indistinguishable from magic.
Pretty much. It's the same there too. Everyone wants their project to do better.
:)). I like Linux, it performs really well. But I don't like that it's pretty dirty and hackish, which is certainly enough to put me off it. I get the same technical advantages with NetBSD but cleaner and with less maintainance (Good Thing).
The truth is, Linux and BSD are meant to coexist, but not for the same purposes. BSDs are meant as code bases that serve purposes really very well, cleanly and with dedication. They won't just accept "any patch that compiles" as has happened in Linux a lot. They're mostly there for the developers' ideas and needs, and usually users end up with the same needs.
On the other hand, Linux is meant to be the kernel for everyone, and this seems to be the case. It runs on just about everything (even if not in the mainline kernel) and it runs pretty well for the most part. The code base is not clean, but it is functional, which is what matters scientifically. It gets contribution from unspeakable numbers of developers and research and this shows - it has something it does much better than every other system (but yes, every other system has at least one thing it does much better than Linux).
Right now I run NetBSD because I wanted production machines I could stake my life on (still living). I use Linux on my laptop mostly because it has an NVidia card for which NetBSD drivers don't exist (or at least aren't easily downloadable
Matter of opinion though. These things change. Hell I dropped FreeBSD (see tag) after a long time of worshipping it, just because 5.3 has too many regressions to appeal to me.
Sam ty sig.
The Cisco 3600 series *does* use PCI for its bus. Those two or four or six slots on a 36xx series are good ol' PCI, they're just in a Cisco form factor, not the Wintel PCI form factor you're used to seeing. I do believe this means every NM form factor slot is a PCI - 26xx, 28xx, 36xx, 37xx, 38xx, and some other stuff all use it.
Cisco uses PCI because its a fast, competent bus, with lots of inexpensive parts due to PC volume driving chipset costs. They get more out of an 80MHz MIPS processor in a 3620 than you get out of a 1GHz Athlon because the hardware is tuned to do nothing but move packets from point A to point B.
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Actually, if you look at the architecture of a Juniper Networks router, it is based on FreeBSD. The Routing Engine is a merely a normal PC motherboard running the Free BSD kernel and Juniper code to handle the routing protocols and system management. There are custom-built ASICs in the Packet Forwarding Engines that handle the packet processing. This architecture has proven to easily out perform the old monolithic architecture of Cisco.
Yes, a higher-end Cisco probably out performs my laptop running OpenBSD and OpenBGPD, but my laptop wasn't designed to be a high-end router.
You clearly have great ideas there (this is not sarcasm). You should actually tell people this. I've seen so many Linuxisms it hurts. Seeing the valiant efforts of ports/pkgsrc maintainers in trying to work around these annoying oversights is heart-breaking. Otherwise good (well, not always, but at least irreplacable software like hpoj) software ends up being very hard to get compiled and running without a lot of Makefile and script hacking.
It's not much better that people say "The X for Linux" (e.g. MPlayer) when it works just as well, sometimes better, on many other platforms, the BSDs being the closest but not only. Tip for devs: just because you wrote it on Linux doesn't mean it's FOR Linux. Linux is not the only platform that benefits from more software being written, and this should be credited. If it'll only work on POSIX-like platforms, "The X for POSIX" may sound less hype-worthy but at least it's accurate. Even so, it's better just to have "Another X" or "Yet Another X" (yacc, anyone?), since this is even more true these days, as most things people want have already been written at least once.
Open Source should be about sharing between its different platforms, not just with Linux then porting things to other systems as an afterthought. This is disgusting. Think of the quality products other systems have brought (just in this thread, for instance!) that are made properly portable because that's the Right thing to do, not out of sympathy for "those poor X users who don't have our superior layout and system calls" as Linux devs seem to take it very often.
(When I say 'X' I don't mean X11 or anything, I mean a general wildcard for any system/software name).
Sam ty sig.
So this really couldn't be used for core Internet routers.
Well, I believe that core Internet routers are about 1% of global router market, the rest of them rarely sees more than 100Mbit combined throughput on all WAN ports.
So, several good managed switches and couple of redundant routers on OpenBGPD would serve well over 90% of the market.
Robert
Bastard Operator From 193.219.28.162
BGP by itself is meaningless. You need at least OSPF for a small network and ISIS for a large one to be able to use it and you need them in a form where the BGP knows everything about an OSPF or ISIS route.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Lucky for Cisco, BSD is dying...
I case you really are stuck in 1987, Cisco does a couple more things than routing these days.
Why just a few weeks ago, I setup a multi-site network using Cisco switches and multiple VLAN's and I typed in the appropriate commands (yes, cryptic until you bother to learn) and it worked. No fuss, no troubleshooting, free documentation - this is why people buy Cisco..
Yes, they're market-dominant, yes, they're expensive (hint: buy refurb) and yes, they're into certifications and the like, but that doesn't make them Microsoft. Imagine if Microsoft made rock-solid products and wasn't always trying to screw the rest of the world.
Now, start setting up VOIP networks, dynamic VLAN's and fully-meshed WAN networks, stuff a dozen or more pieces in a rack, and you'll start to see that a PC with a FOSS OS isn't always the right answer.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The OpenBSD crowd often don't play well with others. They have a completely different set of priorities than other projects.
There was a discussion on the misc@ list, and it basically came down to completely different priorities plus lots of OpenBSD specific hooks.
I rarely criticize things I don't care about.
As long as you have enough of an IGP cloud so the BGP peer IPs are visible to all BGP peers, you can run BGP for (most) of your routing (and just duplicate the peering IPs between IGP-of-choice and iBGP).
Not that it's *necessarily* a good idea, mind you. But it does make *some* things way easier.
Aparantly you've never heard of Juniper Networks. They're router solutions beat the pants off of Cisco for throughput and price, and, they're running FreeBSD on their routers.
You don't know much about BGP and its real world uses, don't you? First of all, there are a lot of relatively simple, relatively slow WANs using BGP both internally and on their borders. For example, just being dual-homed the right way (TM) with 2 ISPs for resiliency, even with slow T1 links, means that you're doing BGP. Second, even in ISPs and large companies you could have lots of situations where you could appreciate having a cheap, flexible PC doing BGP. Route reflectors, non-core routers (relatively slow customers/PoPs/remote offices), routers injecting BGP-learned routes into OSPF or other internal protocols (and vice-versa), etc.
Most probably, this:/ 2004/09/openntpd.html
http://bradknowles.typepad.com/considered_harmful
And yes, I consider it nonsense, but rather than name calling, I'll happily share it and let you decide how not matching every feature of another program is "harmful". If you agree, don't run OpenNTPD. That simple.
FYI, buying from Intel is discouraged
The best way to predict the future is to invent it
oops, I didn't answer the other part about pool.ntp.org:
http://www.pool.ntp.org/#news
see the "2004-09-07" entry.
PCI will go away soon enough in PC-land. We'll be moving on to PCI-Express. You get to pick your bandwidth and it gets a lot faster than PCI in the top end. I figure Cisco will be moving to PCI-Express as well, to take advantage of preexisting designs.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Also I think the criticism about portability is not warranted. At the time that article was written OpenNTPD already supported Solaris (it was the 2nd target I did) and HP-UX support has since been added. I don't think it's valid to criticise a project that's only existed for a couple of months for "only" running on Linuxes, 4 *BSD's including OSX, and Solaris which covers the 3 main *nix families in use today (Linux, BSD, SysV). The split between OpenBSD and Portable is quite clean and the differences in the common code are small (~50 lines, the diff is in the Portable tarball).
The comment about clock disciplining is a fair point. Right now OpenBSD doesn't permit changing of tickadj at the default securelevel so another mechanism is needed in the kernel. In the mean time I've been experimenting with clock disciplining via Linux's adjtimex syscall (implemented with *zero* changes to the common code).
The comment about crypto depends on what your threat profile is. Relying on large crypto libraries means that you're less vulnerable to active attacks of the "make your clock wrong" type, possibly at the expense of being more vulnerable to attacks of the "0wnd ur b0x" type. Admittedly, in some cases (time sensitive authentications like Kerberos) the former may lead to the latter, but in many cases it can't.
Anyway, decide for yourself. You now have another option (which is why I embarked on -Portable in the first place).
$ find
I have some complaints about Cisco.
1) Cost. We could buy NEW HP layer 2 switches for the price of refurb/used Cisco l2 switches. And the HP kit comes with a product lifetime warranty.
2) Support cost. We're planning to replace our Cisco 12000 GSRs with Foundry or Juniper stuff. The maintenance contract cost alone justifies trashing the old equipment and buying new. WTF?
3) IOS/CatOS variety Ever read a nightmarish vulnerability alert and had to figure out if it applied to you? And if so, what you need to upgrade to? There are THOUSANDS of versions, most of which are described generically. And at least once I've been told that a fix was backported, so the version number didn't increment.
4) Usability - HP kicks their asses at the access switch level. It is much easier to set up a bunch of inter-tied VLANS. The syntax is clearer and cleaner. I think every config I've tried to do is easier on the HP family. We updated a bunch of equipment all at once, mostly one model (HP2524, with a few HP4108gl's). It may be that other members of the product line are lame.
I will grant that Cisco tech support is good, and their stuff is good. But there are definitely elements of "We're No. 1, so open your wallet"
ANYTIME you have a project that uses any software that can be bought in a box set, always buy from the project. Your employer, customer or grandma will not scoff at the tens and tens of dollars that you give to these guys to help them out.
Hell, even if you spark up a mailserver in a pinch using downloaded ISOs, always go back and buy the damned box set later on. Make it a line item on your bill, include it in the budget, do whatever you have to do.
I have purchaced a fair amount of packaged CD sets from Slackware, OpenBSD, Redhat, Debian, etc. and have never spent a single dime of my own money.
-ft
use your turn signal! you people act like it's divulging information to the enemy
That's the BSD Way, as far as I have seen. To do one thing and do it very well, and only add more functionality if people really want/need it.
Look at the BSD tools versus GNU tools. They do fundamentally the same things, but GNU tools are usually tens of times larger because they do lots of things only one or two people alive would want. This means those one or two people find GNU tools more convenient, while the rest of us like being able to compile the whole *BSD world in 1 hour on a slow machine, where a GNU-based system takes an hour to compile JUST glibc on the same hardware.
In the running system, GNU tools are handier, since they have more modern defaults, more convenient shortcuts to doing things (default of . for find(1), default output of stdout instead of the tape device for tar, and so on), etc. but the BSD tools are usually a load easier to know the full functionality of. Look at BSD indent versus GNU indent (which is a fork of BSD indent). The latter has every feature under the sun, many of which never will be used. The former hasn't changed much in years and still does what it always did well, nobody complains. The latter can be more convenient, but at the cost of code size, sometimes even cleanliness... no thanks.
But yeah, that's my point. The BSDs focus on the functionality something is meant for, and do it as cleanly as possible. The 'other' software doesn't have this focus. Which you consider 'better' is all about your priorities I suppose.
Sam ty sig.
They're unstable, incompatible, bloated, insecure, and quite importantly, virally bound to the GPL, which is most definately contrary to the BSD philosophy. PF was created (mainly) because the license was not acceptable.
To fix inherent problems, you almost always have to fork because of the incompatibilities. Plus, what advantage would it provide over starting from scratch? They're already screwed in the license department, since it's GPL'd.
What would you rather do... Build a house from the ground up, or take someone's completely trashed and poorly built house, and try to repair the entire thing? Often times, starting from scratch is the better option.
To you, but you aren't among the developers, so you get no say. They wanted something for BSD, just like they did with OpenSSH, just like they did with OpenNTPD, and PF.
If someone wants to put the effort into porting it, they can. If you want to import much of the code into Quagga, go right ahead. They see no benefit from doing that, though plenty of drawbacks for them, so they didn't do things that way.
<LICENSE_RANT>
I'd like to remind people that nothing has ever become a standard, with a GPL license attached to it. Things like TCP/IP, NFS, FTP, SMTP, DNS, all BSD (or even less restrictive) licensed, so others could actually use it, without having to sign the restrictive license that is the GPL. If nothing else, being BSD-licensed may give OpenBGPd a big audience of companies looking to integrate it.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant