traffic engineering (or lack of thereof)

[Alex Yuriev <alex () yuriev com>]

> And how many people here operate non-oversubscribed networks?

The right question here should be "How many people here operate non-super
oversubscribed networks?" Oversubscribed by a a few percents is one thing,
oversubscribed the way certain cable company in NEPA does it is another.[1]

> So having 3 Gb of DoS traffic coming across a half dozen
> peering OC48s isn't that bad; but having it try to fit onto
> a pair of OC48s into the backbone that are already running
> at 40% capacity means you're SOL unless you filter some of
> that traffic out.

Why does your backbone have only two OC48s that are 40% utilized if you have
half a dozen peering OC48s that can easily take those 3Gb/sec?

> And I've been in that situation more times than I'd like to remember,
> because you can't justify increasing capacity internally from a remote
> peering point into the backbone simply to be able to handle a possible DoS
> attack.

This means that the PNIs of such network are full already. So we are back to
the super-oversubscribed issue.

> Even if you _do_ upgrade capacity there, and you carry the extra 3Gb of
> traffic from your peering links through your core backbone, and off to
> your access device, you suddenly realize that the gig port on your access
> device is now hosed.  You can then filter the attack traffic out on the
> device just upstream of the access box, but then you're carrying it
> through your core only to throw it away after using up backbone capacity;
> why not discard it sooner rather than later, if you're going to have to
> discard it anyhow?

Because you do not know what is the "evil" traffic and what is the "good"
traffic. 

> And under those circumstances, there is a strong preference to discard
> "bad" traffic rather than "good" traffic if at all possible. One technique
> we currently use for making those decisions is looking at the type of
> packets; are they 92 byte ICMP packets, are they TCP packets destined for
> port 1434, etc.

And this technique presumes that the backbone routers know what are the
packets that their customers are want to go through and which ones they do
not. Again, this is not a job of backbone routers. It is a kluge that should
be accepted as a kludge.

> I'd be curious to see what networks you know of where the IS component
> does *no* statistical aggregation of traffic whatsoever.  :)

The example that you are using is not based on statistical traffic
aggregation. Rather it is based on an arbitrary decision of what is good and
what is bad traffic (just like certain operators that claimed that DHS
ordered them to block certain ports).

> Matt

Alex


[1] Bring three T1s of IP. Sell service to serveral hundred cable
customers.