Community discussions

MUM Europe 2020
 
jd603
just joined
Topic Author
Posts: 7
Joined: Tue Dec 23, 2014 4:41 am

BGP multithreaded

Mon Jan 22, 2018 2:03 am

I know this has been hyped for v7 but I think adding this to 6.x should be key. I was looking at some ccr1072s for a new deployment but there are 3 upstream providers with full IPv4 and 6 feeds from each. I have some concerns about performance if I deploy with them. I have solutions for DDoS weaknesses already which was also a concern but there are solid workarounds for that one.

Does anyone have a few full BGP feeds still on the CCRs? Are there any day to day issues assuming no connection flapping? It just takes a long time to converge all routes and process updates but this in general doesn't impact passing traffic right? Anyway, i could imagine the complexity of coding a multithreaded bgp/route daemon so it's not like i don't get that.. i'm hoping they hire someone if necessary. :-)
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 249
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: BGP multithreaded

Mon Jan 22, 2018 9:49 pm

I have, no flapping all is working ok but convergence times is horrible. I have only 3 Full Feeds on each (ie: one full peer and two reflectors with all other peers) one tilera core is constantly at 100percent it will do as much as it can, as fast as it can.

Forwarding and routing is good and fast as long as you keep all traffic in fastpath. It is a router not a firewall.

Multithreaded approach is much overdue and we all are eagerly waiting for its arrival. Some here on the forum says it is not needed but looking at ALL other bgp implementations in on the market all is multi threaded.

1 thread reads queue and updates kernel routing table.
1 thread for each peering session keeps track of all traffic to and from one peer and keeps all peer data in specific local full table.
1 thread for each peer local table applying filters and posting result to main central queue.

this keeps the wheals spinning on most systems
 
jd603
just joined
Topic Author
Posts: 7
Joined: Tue Dec 23, 2014 4:41 am

Re: BGP multithreaded

Tue Jan 23, 2018 12:55 am

Thanks for the info. Might give it a try. I think I can do 2 full feeds and only partial for the other peer. It'd be great if I knew that within a year it would be multithreaded.. it's been talked about for years now it looks like. Ok done whining. haha
 
candlerb
just joined
Posts: 9
Joined: Fri Jun 30, 2017 12:07 am

Re: BGP multithreaded

Wed Jul 25, 2018 11:57 am

Forwarding and routing is good and fast as long as you keep all traffic in fastpath. It is a router not a firewall.
True, but it is still good practice to do anti-spoofing filtering on a border router

I also feel happier blocking traffic to the control plane with filters on the 'input' chain - you never know when some new bug with SSH or SNMP might turn up.
 
User avatar
doneware
Trainer
Trainer
Posts: 540
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: BGP multithreaded

Thu Jul 26, 2018 1:25 pm

True, but it is still good practice to do anti-spoofing filtering on a border router
in terms of bogons, you can just blackhole them automatically via BGP. and it shall not affect fastpath.
http://www.team-cymru.com/bgp-examples. ... rotik-trad
http://www.team-cymru.com/bgp-examples. ... rotik-full
#TR0359
 
User avatar
andressis2k
Member Candidate
Member Candidate
Posts: 104
Joined: Mon Apr 18, 2011 12:47 am

Re: BGP multithreaded

Fri Jul 27, 2018 3:29 pm

Forwarding and routing is good and fast as long as you keep all traffic in fastpath. It is a router not a firewall.
True, but it is still good practice to do anti-spoofing filtering on a border router

I also feel happier blocking traffic to the control plane with filters on the 'input' chain - you never know when some new bug with SSH or SNMP might turn up.
To prevent spoof, IP > Settings > RP Filter. You won't route any package which it's source isn't reachable by you.

We currently have a CCR1072 with 2 full peers, 100 BGPv4 sessions and 120 routing filters. 0 firewall rules

It works? Well, it's routing about 8gbps at peak hours. Maximum CPU usage is 10% (one core ALWAYS at 100%).

The problem: any route (even a static one) takes 15-20 minutes to start working. For example, if you add 192.168.1.1/24 address in ether1, it takes some minutes until you can ping to 192.168.1.0/24 network.

Of course if one of full peers goes down, be ready to loose all connectivity for 10-15 minutes. There is no way to flight or mitigate a DDoS attack with this response time (when you propagate the route to blackhole server, the attacker finished attacking hours ago and will be having a beer on the beach)

Can CCR1072 do it? Yes, it can. Can CCR1072 do it with carrier class performance? Absolutely no. Will it work when RouterOS v7 is launched? Maybe we'll never know. Possibly many of us will be retired by then. For now, we're moving to Huawei.
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: BGP multithreaded

Sat Jul 28, 2018 5:12 am

We currently have a CCR1072 with 2 full peers, 100 BGPv4 sessions and 120 routing filters. 0 firewall rules
It works? Well, it's routing about 8gbps at peak hours. Maximum CPU usage is 10% (one core ALWAYS at 100%).

Similar scenario here, although within a much smaller environment:

* CCR1009-7G-1C-1S+
* Two BGPv4 full-feeds for IPv4/v6
* Cymru full-bogons feed IPv4/v6
* 15 BGPv4 peeers / 125 routing filters
* 50 IPv4 and 50 IPv6 simple firewall rules
* CPU average at 12%, peaks at 30% when under heavy-load
* One single core always at 100% utilization (routing)

Would switch to a CCR1016 or CCR1036 instantly, if we knew it would be more performant. Unfortunately the current routing software implementation is the limiting factor - not the hardware itself. One could achieve better results even on much older x86 hardware by using a solid BGPd/routing software suite.


The problem: any route (even a static one) takes 15-20 minutes to start working. For example, if you add 192.168.1.1/24 address in ether1, it takes some minutes until you can ping to 192.168.1.0/24 network.

In our case it takes around 5-10 minutes. Matching routes on dst-address or bgp-as-path is HORRIBLE too. Might give FRRouting on x86 a try soon before we eventually will end up with a Cisco ASR. Sad story because I always preferred MT over other vendors for various reasons, not solely price-related, I'd be willing to even pay higher prices if they had fixed their crooked routing and BGP implementation. MT, do you even still hear our prayers? :(
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 249
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: BGP multithreaded

Sun Jul 29, 2018 2:42 pm

Forwarding and routing is good and fast as long as you keep all traffic in fastpath. It is a router not a firewall.
True, but it is still good practice to do anti-spoofing filtering on a border router

I also feel happier blocking traffic to the control plane with filters on the 'input' chain - you never know when some new bug with SSH or SNMP might turn up.
IP SETTINGS RPFilter is there for antispoof (URPF But not vrf compatible in currently in V6) this makes allt your traffic remain in fastpath with URPF enabled either as STRICT or LOOSE where strict is telling the router only to accept packet source on ingress if it is currently routed and that the route is ACTIVE. Setting LOOSE will accept packet source ingress as long as A route is found Active or not.
@MT Where is the ipv6 setting for URPF?

@MT PLEASE FIX VRF issue in V6 IF POSSIBLE if not PLEASE PUSH OUT THE UNICORN NEXT Version so that Routeros once again can be a GOOD Router.


Fixing Control plane issues on a tilera device with plenty of cores just to sacrifice fastpath................ NO...... But if you use weaker routers. You know what's best for your network.

Set the Boorder witch often is multi homed to loose and others downstream to customer to strict and your're DONE Concerning antispoof (AKA URPF)
 
mhviper
newbie
Posts: 36
Joined: Wed Sep 25, 2013 4:59 am

Re: BGP multithreaded

Wed Aug 01, 2018 10:33 am

Forwarding and routing is good and fast as long as you keep all traffic in fastpath. It is a router not a firewall.
True, but it is still good practice to do anti-spoofing filtering on a border router

I also feel happier blocking traffic to the control plane with filters on the 'input' chain - you never know when some new bug with SSH or SNMP might turn up.
To prevent spoof, IP > Settings > RP Filter. You won't route any package which it's source isn't reachable by you.

We currently have a CCR1072 with 2 full peers, 100 BGPv4 sessions and 120 routing filters. 0 firewall rules

It works? Well, it's routing about 8gbps at peak hours. Maximum CPU usage is 10% (one core ALWAYS at 100%).

The problem: any route (even a static one) takes 15-20 minutes to start working. For example, if you add 192.168.1.1/24 address in ether1, it takes some minutes until you can ping to 192.168.1.0/24 network.

Of course if one of full peers goes down, be ready to loose all connectivity for 10-15 minutes. There is no way to flight or mitigate a DDoS attack with this response time (when you propagate the route to blackhole server, the attacker finished attacking hours ago and will be having a beer on the beach)

Can CCR1072 do it? Yes, it can. Can CCR1072 do it with carrier class performance? Absolutely no. Will it work when RouterOS v7 is launched? Maybe we'll never know. Possibly many of us will be retired by then. For now, we're moving to Huawei.
What Huawei device?
 
magik20
just joined
Posts: 4
Joined: Fri Mar 08, 2019 4:13 pm

Re: BGP multithreaded

Sat Mar 09, 2019 4:41 pm

is there another protocol that you can use from an upstream provider to get around this issue with the CCR 1036 and non-multithreading?
 
fflo
just joined
Posts: 12
Joined: Wed Jan 02, 2019 7:59 am

Re: BGP multithreaded

Sat Mar 23, 2019 11:04 am

@Mikrotik
Is it possible to integrate FRRouting into RouterOS 6?
- https://frrouting.org/
- https://github.com/FRRouting/frr

Going this step should add BGP multithread support + full MPLS IPv6 / VPNv6 support.
 
fflo
just joined
Posts: 12
Joined: Wed Jan 02, 2019 7:59 am

Re: BGP multithreaded

Tue May 07, 2019 2:46 am

Any update on this topic?
Using CCR1072 equipment no-one likes to get stuck with a hanging routing table on one core and route insert or modification times of 15-20 minutes.
 
mutinsa
just joined
Posts: 21
Joined: Tue Feb 06, 2018 4:55 am
Location: Moscow, Russia
Contact:

Re: BGP multithreaded

Tue May 07, 2019 8:57 am

+1

@Mikrotik
Is it possible to integrate FRRouting into RouterOS 6?
- https://frrouting.org/
- https://github.com/FRRouting/frr

Going this step should add BGP multithread support + full MPLS IPv6 / VPNv6 support.
Sergey Mutin
Certified Mikrotik Consultant
MikroTik: MTCNA, MTCRE, MTCIPv6E, MTCTCE, MTCUME, MTCINE, MTCWE | Cisco: CCNA R&S | Juniper: JNCIA-Junos | Zabbix: ZCU | Asterisk: dCAA | IPv6 Forum Certified Network Engineer (Silver) | HE.net IPv6: Sage
 
cdemers
Member Candidate
Member Candidate
Posts: 184
Joined: Sun Feb 26, 2006 3:32 pm
Location: Canada
Contact:

Re: BGP multithreaded

Tue May 07, 2019 5:29 pm

+1

@Mikrotik
Is it possible to integrate FRRouting into RouterOS 6?
- https://frrouting.org/
- https://github.com/FRRouting/frr

Going this step should add BGP multithread support + full MPLS IPv6 / VPNv6 support.
Would be nice, but looks like it requires at least a v4.9 Linux kernel to be useful. So not practical to try and back port it to an older kernel. Would probably need substantial modifications to make it work. Would like to have them put that effort into getting a alpha or beta version released to get the ball rolling on a newer kernel.


Sent from my SM-A520W using Tapatalk

 
pe1chl
Forum Guru
Forum Guru
Posts: 5979
Joined: Mon Jun 08, 2015 12:09 pm

Re: BGP multithreaded

Tue May 07, 2019 5:38 pm

is there another protocol that you can use from an upstream provider to get around this issue with the CCR 1036 and non-multithreading?
When you only want to have failover you can consider having your upstream providers only send a default route and maybe their locally-announced subnets over BGP instead of a full table.
 
PaulTN
just joined
Posts: 4
Joined: Fri Feb 10, 2012 9:38 pm

Re: BGP multithreaded

Wed May 22, 2019 11:32 pm

Any update on this topic?
Using CCR1072 equipment no-one likes to get stuck with a hanging routing table on one core and route insert or modification times of 15-20 minutes.
 
akant
just joined
Posts: 12
Joined: Tue Oct 11, 2011 8:29 am

Re: BGP multithreaded

Thu Sep 19, 2019 6:28 pm

+11111111111111111111111
 
paulct
Member
Member
Posts: 303
Joined: Fri Jul 12, 2013 5:38 pm

Re: BGP multithreaded

Fri Sep 20, 2019 10:06 am

With the new 7 beta that is out we know they have improved the process of importing bgp routes. Just a matter of time before this is released into the wild and on e.g Tile.
However I would not run it in production for quite a while yet.
 
fflo
just joined
Posts: 12
Joined: Wed Jan 02, 2019 7:59 am

Re: BGP multithreaded

Thu Oct 31, 2019 5:32 am

Any news about BGP routing on RouterOS v7 Beta?
On which software is the new implementation based on?

Who is online

Users browsing this forum: Google [Bot] and 80 guests