Slashdot Mirror
OpenBSD Project Announces OpenBGPD
44BSD writes "As noted at undeadly, the OpenBSD Project has announced an BSD-licensed implementation of the Border Gateway Protocol, BGP. Project details, design goals, documentation, and more are at the project web site. BGP is documented in RFC 1771.
Lucky for Cisco, BSD is dying..."
Lucky for everyone else, a BSD license will make it easy to implement in every other router box and make it cheap. Or so I hope.
No sig
Unfortuantely, even the fanciest boxes running BSD can't complete on a pure throughput basis with good Cisco routers. An twenty-four port gigabit Cisco router has a 48 Gbps backplane, but a PC running BSD will be limited by its bus--the fastest servers have a 64 bit 133 MHz bus with PCI-X. That's 8 Gbps. And you can't put more than a handful of network cards in even the largest BSD-capable server--there simply aren't the expansion slots. So this really couldn't be used for core Internet routers.
And, of course, you don't need to be running BGP on small networks--it's only when you've got a number of large networks joined together, at a chokepoint, where you need to use BGP to properly route traffic. So there's no point to it for small businesses with who might be trying to save money over a Cisco router--they don't need BRP.
I wonder, then: where is the market for this....?
---
Just because it's BSD doesn't mean that it's going to be limited to PC Architecture.
This project could give a boost to manufacturers of competing kit by having a code base that it doesn't have to start from scratch and can be run on a minimal BSD distribution.
There's nothing to stop A.N.Other manufacturer creating their own arcitecture and running this ontop.
Matt Thompson - Actuality - Insert product here.
Yeah. Now you Linux users get to feel the pain the BSD users feel for EVERY FUCKING 3RD PARTY PIECE OF SOFTWARE UNDER THE SUN written by Linux weenies.
Many, many sites use BGP at less that 8Gbps aggregate throughput - hell I know of several sites that still run partial feeds over ISDN BRI. I just don't see where you get the idea that BGP is only for core routers.
>I wonder, then: where is the market for this....?
Perhaps when hackers start using the vulnerabilities in the BGP protocol to attack the Internet and those vulnerabilities are not found to be present or are fixed faster in the open BSD code, that'll justify the project's existence.
I mean we've already seen that open-source has fewer vulnerabilites than closed-source in general (Think I.I.S. vs Apache), so this will just become another way to secure the Internet.
I don't know the meaning of the word 'don't' - J
Interfacing with the kernel routing table is highly platform-dependant, there is not avoiding that. Beyond this, if someone wants to make a port, most of the necessary glue can be lifted from OpenSSH's libopenbsd-compat or Darren Tucker's OpenNTPd port - someone just needs to do the work :)
the openbsd team has branched off quite a few projects where they saw the security and/or license was insufficient and needed to be redone.
OpenSSH, who's box doesn't have this?
OpenNTPD, a network time protocol daemon and server, recently released.
OpenBGPD, the border gateway protocol daemon.
They were pioneers in the use of stack protection software on the i386 platform (kernel and compiler), as well as privilage seperated daemons (it's in your sshd now), and randomized library linking locations.
(i think i'm missing a few, anyone care to fill them in?)
they have implemented (a far better implementation over the old one that they didn't write) their i.p. filter, PF (which has now made it into netbsd, freebsd, and hopefully linux soon enough). this includes INSANE amounts of configurability options, with integrated routing and traffic shaping.
many people grumble about how the project is run and its priorities. but we all benefit from their efforts. i think i'm going to buy a cd even though i am not an openbsd user. these sales help keep these projects going.
It appears that a lot of good stuff keeps coming out of OpenBSD. They truly focus on the things that matter (for them). Not gadgets or eye candy, but clean, solid, secure network implementations. Kudos again!
Please correct me if I got my facts wrong.
unfortunately the interfacce to the kernel routing table is not standardized, so this is highly platform dependent by the nature of the problem beeing solved.
;) If anybody steps up and makes one, why not?
Moreover, seeing BGP as a pure userland task ist far off reality. While that is technically speaking mostly true, you need a lot of kernel support. In fact, we did modify our kernel routing table structures to linder kvm pressure and thus fit a full-mesh table (> 140000 enties) into an GENERIC kernel. You need network stack modifications for tcp md5. The ipsec integration required changes to the IPsec kernel implementation as well as isakmpd - and there's more...
So, while strictly speaking bgpd is a userland thing, you need more than that for a BGP router. OpenBSD and OpenBGPD offer this.
That said, I am in no way opposed to a portable version. Just like for OpenNTPD I won't do it tho
henning
Right now, you're absolutely right: doing this in a PC would cost as much as or more than a dedicated solution, especially when you factor in the infamous TCO. And as you say later, small networks have no need for this sort of thing. But again, in a few years it may be affordable to do this on commodity hardware. Once the enormous cost of big iron from Cisco et al. comes down, I think a lot of those small networks might just find needs. Especially if we get into the much-touted Internet of the Future where everything has an IP address.
What are you talking about?!
I'm running FreeBSD on the desktop, and I've only had trouble getting the following binaries to compile and run: GTK, Qt, Firefox, Java 1, Java 2, Java 5, gaim, xchat, evolution, mozilla, thunderbird, open office, koffice, gedit....garsh, I don't know what the parent poster is talking about, sheesh
.....at least xterm works! w00t!
Error 407 - No creative sig found
Yes, and a Boeing 747 can carry a hell of a lot more passengers than a Citroen CX. Guess which one is most cost-effective and works best for a 40-mile commute?
I think it is a good choice for the OpenBSD cases. It allows development to be done at better development speed and with cleaner code than something trying to be completely portable. This makes it easier to track security and work with the code.
I'll also note that most software that is "portable" today is written using GNU autotools, which makes it, on average, less portable than software was before autoconf. Either it works at once (this happens reasonable often), or there is a significant amount of pain to make it work. Ten to fifteen years ago, there was usually some work involved, but the average was less, and it was spread out.
Separating the porting part from the initial clean codebase means that it is possible to debug them separately, and when autotools fails, it is easier to go around them.
Eivind.
Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
Another thing to be mindful of are Linuxisms, like /bin/sh being a link to /bin/bash; and, for that matter, all programs being in either /bin or /usr/bin. Everyone except Linux, more or less, puts stuff in /usr/local or /opt or God knows where else. So when writing scripts, set the interpreter as the actual interpreter: if you're using bashisms in your script, don't set the interpreter as /bin/sh. Don't put in any paths at all to the interpreter, either. Do #!/usr/bin/env bash instead, which will invoke the first bash on the caller's command line. That way you don't have to care if bash is in /bin/bash, /usr/bin/bash, /usr/local/bin/bash, or /opt/bin/bash. Or, in the case of qmail, /var/bash/bin/bash.
Pretty much. It's the same there too. Everyone wants their project to do better.
:)). I like Linux, it performs really well. But I don't like that it's pretty dirty and hackish, which is certainly enough to put me off it. I get the same technical advantages with NetBSD but cleaner and with less maintainance (Good Thing).
The truth is, Linux and BSD are meant to coexist, but not for the same purposes. BSDs are meant as code bases that serve purposes really very well, cleanly and with dedication. They won't just accept "any patch that compiles" as has happened in Linux a lot. They're mostly there for the developers' ideas and needs, and usually users end up with the same needs.
On the other hand, Linux is meant to be the kernel for everyone, and this seems to be the case. It runs on just about everything (even if not in the mainline kernel) and it runs pretty well for the most part. The code base is not clean, but it is functional, which is what matters scientifically. It gets contribution from unspeakable numbers of developers and research and this shows - it has something it does much better than every other system (but yes, every other system has at least one thing it does much better than Linux).
Right now I run NetBSD because I wanted production machines I could stake my life on (still living). I use Linux on my laptop mostly because it has an NVidia card for which NetBSD drivers don't exist (or at least aren't easily downloadable
Matter of opinion though. These things change. Hell I dropped FreeBSD (see tag) after a long time of worshipping it, just because 5.3 has too many regressions to appeal to me.
Sam ty sig.
The Cisco 3600 series *does* use PCI for its bus. Those two or four or six slots on a 36xx series are good ol' PCI, they're just in a Cisco form factor, not the Wintel PCI form factor you're used to seeing. I do believe this means every NM form factor slot is a PCI - 26xx, 28xx, 36xx, 37xx, 38xx, and some other stuff all use it.
Cisco uses PCI because its a fast, competent bus, with lots of inexpensive parts due to PC volume driving chipset costs. They get more out of an 80MHz MIPS processor in a 3620 than you get out of a 1GHz Athlon because the hardware is tuned to do nothing but move packets from point A to point B.
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
So this really couldn't be used for core Internet routers.
Well, I believe that core Internet routers are about 1% of global router market, the rest of them rarely sees more than 100Mbit combined throughput on all WAN ports.
So, several good managed switches and couple of redundant routers on OpenBGPD would serve well over 90% of the market.
Robert
Bastard Operator From 193.219.28.162
Couple of examples:
on the HP, the command line to set ports 1,13, 22-24 for vlan 200 is:
config t (same as cisco)
vlan 200
untagged 1,13,22-24
All done. Imagine your joy setting this for 172 ports on a fairly typical HP4108gl, vs your misery doing it one port at a time on a cisco 3548. Probably should exit config mode and save, but that's not unique to HP. "Tag" is literally what vlan config does. If you are cisco-trunking (more than one vlan across a single physical link), the ethernet datagram gets a vlan tag to separate it from the 'native' vlan of the link. HP doesn't obfuscate that the way Cisco commands do.
switchport access native vlan foo
switchport trunk allowed vlan foo, bar
switchport trunk encapsulation dot1q
switchport trunk mode trunk
Plus pruning!
To make port 25 what cisco calls a trunk, and pass traffic for vlan 200 and 300 on it, vlan 200 native:
int vlan 200
untagged 25
int vlan 300
tagged 25
done. I've had some real problems getting the right config for a cisco switch to interoperate with the HP, but not vice-versa.
You can also use a text-based menu, and toggle the vlan state (untagged, no, forbid, tagged) for each port. You see them all side by side, and that helps make sure you got the config correct.
The cisco stuff just seemed crankier and less intuitive- on the cat2924, anyway, and to a lesser extent the 3548. I have two 3548s that will silently fail any vlan config commands - it accepts them, but no port behavior changes. Pending a catos update, they are basically netgears with a price tag.
I grant that it is a feature to offer vlan types besides dot1q, but not one I welcome.
Finally, on the higher end, we are burdened with VTP. I may be a luddite; I'm willing to grant that possibility for the sake of argument. But I hate automagic stuff like vtp. This just does not seem like the sort of thing we should trust our net infrastructure to work out as its whim dictates. This kind of thing just doesn't save enough sysadmin time to make up for the weird errors and such. And it's hard to turn vtp off.
This post took on a lecturing tone - sorry about that. I don't presume to have greater knowledge of cisco and vlan tech.
Oh - Snort rocks!
They're unstable, incompatible, bloated, insecure, and quite importantly, virally bound to the GPL, which is most definately contrary to the BSD philosophy. PF was created (mainly) because the license was not acceptable.
To fix inherent problems, you almost always have to fork because of the incompatibilities. Plus, what advantage would it provide over starting from scratch? They're already screwed in the license department, since it's GPL'd.
What would you rather do... Build a house from the ground up, or take someone's completely trashed and poorly built house, and try to repair the entire thing? Often times, starting from scratch is the better option.
To you, but you aren't among the developers, so you get no say. They wanted something for BSD, just like they did with OpenSSH, just like they did with OpenNTPD, and PF.
If someone wants to put the effort into porting it, they can. If you want to import much of the code into Quagga, go right ahead. They see no benefit from doing that, though plenty of drawbacks for them, so they didn't do things that way.
<LICENSE_RANT>
I'd like to remind people that nothing has ever become a standard, with a GPL license attached to it. Things like TCP/IP, NFS, FTP, SMTP, DNS, all BSD (or even less restrictive) licensed, so others could actually use it, without having to sign the restrictive license that is the GPL. If nothing else, being BSD-licensed may give OpenBGPd a big audience of companies looking to integrate it.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant