2010.10.04 NANOG50 day 2 (Monday) morning sessions. version 1.0 Dave Meyers kicks off NANOG50 Monday morning session at 0931 hours Eastern Time. TATA, FiberLight, Telx, Google, ToreyPoint, other sponsors, many thanks to them! Network is nice, thanks! Lots of contributors, Cox, MyriadSupply, Internet2, OSI, ARIN, Spectrum Networks. Fill out your surveys!! PacNet, Nokia, Siemens, Juniper, Lucent, OSI, PCCW, Vendor collaboration, A10, Lucent, comcast, Arris Steering committee is blue, yellow is program committee red is communications committtee Give people feedback if you have any issues or concerns. Don Welch, merit networks. Merit staffers have green badges, handle IT and logistics for the conference. Be sure to vote in the elections! And remember, as you vote for steering committee members, they will also be newNOG board members. special thanks to: Eric Shepkaro, (TelX) for hosting the conference. Steve G from Pandora, great conversation last night, ended up driving a change in the business stream it seems. ;D Thanks to everyone for their work on hosting this conference, from all the sponsors. He listened to Aaron, founder of Mint.com. Every technical person, every engineer can add 500,000 in valuation to a company, while each business person can subtract 150,000 in value. People here cut right to the meat of issues, opening dialogues, discussing matters of interest, hitting key issues, and getting educated. While the internet isn't doubling every year, we're still seeing strong year over year growth curves; people are still working on scaling, growing their edge, etc. With more mobile and P2P traffic in play, with v4 addresses running out, and traffic levels rising, we have more and more challenges to face. Security issues, attacks are on the rise, and are getting more sophisticated. Network neutrality, network control are always hot topics as well. Over the next couple of days, we'll try to tackle many of those issues. 56 Marietta, network neutral colocation facility, if you'd like to see it, hop on a bus around lunch time and see it. At Shout tonight, another social event sponsored by Telx, Cisco, NTT, come join them!! OK, back to Dave Meyer You can look at the archives back to the second meeting to see what people were talking about back then. Elise Gerich helped shepherd the first meetings, so she's back for meeting 50. Remember when there were no slides...and then transparencies... :) The end of the beginning: She spoke at the first, and now she gets to speak at the 50th. The beginning was the regional techs, back in 1988; In 1994, it was the end of that beginning. End of 1994 was the last of the regional techs meetings in San Diego. The last of the NSFnet work was going to transition to commercial providers. Regional Techs had grown up as NSFnet grew up, as a collaboration from IBM and MCI; the early regional techs blasted MCI, IBM, and Merit, for being clueless in their relative areas. Elise Phoebus Gerich Her monogram was EGp, and she got asked "what's your metric" at that first meeting. IBM and MCI were the new guys at the table, and they told them they'd have to work hard together to make it a success. Sue Hares was working on agenda, turned it over to Elise so she could work on the policy database. Regional Techs meeting always had food, from the very first meeting, a tradition that continues today. AlterNet and other commercial providers started to attend, like PSI; and then vendors started to show up. So, by 1994, in San Diego, regional techs started to disband; they asked if they wanted to continue or not. A room much like this, Mark Knopper, Elise on stage asking if anyone thought it should continue or not. There was overwhelming positive response; but they couldn't be just regional techs anymore, it was a more global group, so what to call it? EPG engineering planning group--too confusing with Elise's monogram. IEPG was already taken. NOG was suggested; but they were mainly in america, so it became north american NOG. Then they debated for next three meetings about how to pronnounce the new name. January 1994 was the decision to morph regional techs. Charter written by Elise and Mark Knopper. There have been many chairs, and she was the first mistress of ceremonies for the meetings. loosely organized, Merit sponsored; had to grow, no longer under umbrella. In 1995, she handed mistress of ceremonies over to bill norton; while he was in business school, he used it as experiment. Added beer and gear, numbering the meetings, got sponsorships. He was always an interesting speaker; they videotaped some meetings and presentations, with overhead transparencies; he'd walk back and forth, and then periodically, he'd disappear; he wanted to see if the camera man could keep up with him. So, regional techs eventually did wrap up, and NANOG started. One chair always opened the meetings with a joke, and they were generally the worst jokes possibly ever heard. "why did the chicken lay two eggs?" "because one egg is not enough (an oeuf)" At one meeting, they were trying to extend wifi upstairs, planting repeaters in planters, when security was called, and they had to try to explain the internet to hotel security. Mark noted that NANOG was always very social; they had a meeting in Colorado, right after the legislation was passed blocking gays rights. So, NANOG expanded to include a gay rights speaker, in colorado, to protest the legislation. Bob Metcalf was another good story. In 1995, he attended one of the meetings, a long article, one piece said "if NANOG is to lead us to a business strength Internet, it must attract more people wearing suits." Big flurry of emails on the list, and finally Bob wrote back, indicating that we had misunderstood. We would have to be more open to the people in suits who were more business oriented. We've tried to be very open, and open to the business people joining us. Bob Metcalfe predicted the collapse of the internet, and would eat his words if it didn't. Well, it didn't, so a second shirt was printed up. :D So, some more stories from the early days, and then a quiz. Whirlyball? Socials were introduced at regional techs meetings; they've gotten more organized and fancier, but at early meetings, they had whirlyball, where it's 5 on 5, you can't get out of your little electric cars; you have a jailai racket, a whiffle ball, and a basketball hoop. They'd collect for beer money, and then Vince Fuller, and a couple of others, who made up a superstar team, who pretty much always won. And then there were the also-rans, who almost never won. The superstars did lose that game, and never play again. Go find a place that does whirlyball; there's one here in Atlanta, we should go do it for the 50th anniversary. So many good times, so many good memories; great to be part of the beginning...and then part of the end of the beginning, and the beginning of NANOG; and now, we get to be part of another new beginning, with newNOG. People who were just kids back then, doing some experiments, who had their careers escalated by their experience here. John Curran will come up for the ARIN update. Yes, he was a whirlyball irregular, no doubt about it. Yes, he's wearing a sports coat. He wears it if there's an opportunity to make $1M. And he wears it in front of his boss. And today, we are his boss. If you have issues, come talk to him. He's an employee of ARIN, it's his job to help make things better. 4-byte ASN stats Since policy inception in 2007: 448 requests for 4-byte ASNs 69 4-byte ASNS issued 42 exchanged Yahoo is only company raising its hand that does not yet support 4-byte ASNs. Bad Yahoo!! Whois traffic has been going through the roof; they added more proxies in front to support it. Apparently, there's IP management packages that do whois queries. It would be good to find out who is doing it, and talk to ARIN engineering, to find a better way of handling it. We can't keep up if so many machines on the internet keep doing it like this. Source addresses are all over, they're all over, not sign of bots; could be a DLL or mac system startup that's doing it. Please, don't embed whois lookups in everyone's computers like this!! Whois-RWS replaced whois on July 19th major upgrade to directory service more efficient documentation describing changes. Listener on 43 supporting legacy whois clients also utilizes the web to address whois resources addressable as RESTful URLs future features will use REST interface more at https://www.arin.net/resources/.... Specified Transfer listing services deployed in ARIN Online Aug 30th Implements section 8.3 It's a listing resource to list resources you can make available for others to pick up. It allows you to match up donors with recipients. Nobody's in the listing service, yet, because nobody's been turned away. Two columns; those who have resources they can free up, and a column with people who need resources. The actual matching up is someone else's problem. But if two people match up, ARIN can handle that transfer of resources. https://www.arin.net/resources/transfer_listing/index.html But you can at most get a 12 month supply. It doesn't give you a long-term solution; you still have to look to v6. Public-facing development efforts https://www.arin.net/ ARIN Online--/knowledge/roadmap.html Net Templates:/features/template_changes.html turns out templates didn't match up well with how resources were requested and used. DNSSEC -- signing zones now interfaces to allow you to insert DS records rolled out in Q4 2010 UI preview at /featurs/delegation_management.html RPKI--production ready by end of 2010 pilot available at: http://rpki-pilot.arin.net/ starting next year, you can link your RPKI into the ARIN RPKI tree, and they'll interface with you. Learn about these and upcoming features at: https://www.arin.net/features/ Lots of outreach this year, mostly on IPv4/IPv6 education /knowledge/v4-v6.html you can grab the community use IPv4/IPv6 slide deck US Federal CIO and CTO were announced, and all federal websites will be dual-stacked by December 2012; if you have federal customers, expect to have requests coming your way. No industry requirement yet. But people should recognize this will increase push for v6. IPv6 wiki http://www.getipv6.info/ If you have your own v6 info, feel free to put it up on the wiki. Policy implementation implemented on 9/sept Initial v6 allocs--multihomers can get /32s reduced Ipv4 end user minimum to /24 require unused allocations to be returned Adopted, pending implementation on Aug 10 Waiting list for unmet IPv4 requests [2010-1] Current draft policies to be discussed at ARIN XXVI Increasing v4 reserve for facilitating IPv6 deployment from /10 to /8 IPv6 /32 and larger allocs for Global policy for v4 allocations standardize IP reassignment NRO NC voting changes for NANOG meeting attendees Starting with NANOG50, members can vote throughout the entire meeting block, not just on last day. You must have registered for NANOG prior to 9/21 You may still only cast one vote, even if you also registered for ARIN as well. Upcoming ARIN meetings Puerto Rico, San Juan in April, not a joint meeting In fall, Philadelphia joint meeting in October. References: /policy/proposals/index.html /participate/mailing_lists.html Come to the ARIN meeting the second half of this week. Rear mic Kevin Oberman, ESnet, Federal requirement for IPv6; did they make sure they don't have weasel-words in place, that lets them use different DNS names for the websites, to let them hide it away without actually supporting it. In 2008, they brought up v6 long enough to get a ping through, then shut it down. This states it will be ongoing, and by 2014, internal services will be available via v6 as well. Cathy Aaronson, ARIN AC. There's a whole bunch of Advisory Council members here, if you have issues, come talk to them. Also, ARIN meetings have a great remote participation option as well, if you can't stay for it. Donni Roisman: If you have tools that do lookups on 4-byte ASNs; make sure to expand search strings; remember asplain as well as asdot formats!! Geoff has a nice talk about IPv6 background radiation we'll sneak in now, since we have some extra time. Universe runs at 2.3degrees kelvin; that's the echo of the big bang from 13.7 billion years ago; some background microwaves radiating in the dark. If you put your router in unadvertised part of space, and just listen, you'll get about one packet every 2 seconds. Conficker hits the low half of a /8 faster than the top half of a /8; it's toxic traffic hitting windows boxes. There's about 5.5Gbps across the whole of v4 space now. 1.1.1.0/24 is about 100mbps of crap right now. IPv4 vs IPv6 Darknets in v4 have been subject of study; what about v6? 2400::/12 A long time ago, RIRs got large blocks of space. Allocated to APNIC on 3 oct 2006 only 1.59% allocated so far. 709 allocations, but only 323 advertisements; rest not yet advertised. He advertised the whole /12 to see what hit it. About 500kbits/sec of traffic hitting the dark listener. It's not TCP, it's not UDP, it's ICMP. In v4 conficker is TCP syns and acks At peak, it hit 3.5mbits in v6. average traffic rate: 407kbits (726 packets per second) IMP: he's getting ICMP unreachable; it means something tried to reach something that didn't exist, from the wrong address. 3/4 of the traffic is the blind leading the blind to places they don't know where they are going. Only one /20 causing all the dark traffic. 2408:0000/20 Mostly to NTT east, JP It uses it for IPtv; do they charge for traffic there? People hack their boxes to tunnel traffic through the IPtv operation. There is no direct equivalent of RFC1918 private use in IPv6 So, mostly what we see is really leakage. Allocated vs Unallocate dark traffic. Real dark traffic is one packet every 38 seconds for the entire /12 Most of the traffic count is really ICMP, still. Some SYN packets; that's just random strobing. SYN+ACK packets: wrong source, local config errors. more SYN+ACKs than SYNs 6392 vs 1100 And then some DATA packets; how on earth did that happen? Stateless TCP in DNS without handshake; data with no TCP handshake first? TCP probing, bunches of it. Source probing through addresses, looking for destinations. Self-misconfiguration one user tried to send 780 emails in v6, they all failed, and fell back to v4, so user never realized it. 2892 queries into dark space for DNS. since they're dual stacked, the v4 fallback patches it up. 7800 pings to nowhere. IPv6 dark traffic it's not toxic; you can't address scan it. Most traffic is leakage from private use 55 billion years, 6 times the life of the universe to scan a /48 at a reasonable rate. Routing doesn't create security. Private addresses aren't private. People don't type addresses in correctly you don't notice your machine is any slower, due to conficker slowing it down already. What happens in v4 doesn't translate into v6; address scanning doesn't work. scanning in v6 will follow DNS scanning, not address scanning. We take a break now. Mike Hughes welcomes people back from break at 1130 hours Eastern Time. Thanks to Spectrum TV for giving away the apple TVs as prizes! Two winners: Bruce Horth, Bea Rosemann, ICANN/IANA ILNP: a whirlwind tour Saleem Bhatti, University of St. Andrews, UK What, Why, When, How Identifier Locator Network Protocol http://ilnp.cs.st-andrews.ac.uk enhances IP functionality through the use of crisp naming work in progress focus on network and transport layers now ILNPv6 as a parallel/concurrent system on existing infrastructure Based on Mike O'Dell's ideas bottom up approach. New requirements look at supporting a harmonized solution to many network functions multihoming mobility multipath localized addressing (NAT) traffic engineering packet level end to end security try to do with a harmonized, single approach, not a bunch of overlays. Want to keep core network from having to change too much; make it incrementally deployable, and keep it backwards compatable. core network devices shouldn't need to change reuse existing core protocol deployment endpoints change. Names: any set of bits that label an object in the network stack. Semantics defined within the context of the object. Application layer protocols names not cleanly used now https://marston.cs.st-andrews.ac.uk/ TCP uses tuple to identify a connection endpoints all include identifiers (IPs, ports) Network layer IP address bits used for routing, used as a locator If you look at physical interfaces, you see IP addresses bound to a given interface, not just to the whole machine. The overloading of the IP address has been known for some time now; want to get away from it. RFC4984 makes note of that, almost half a decade ago. RFC2101 in 1997 says a similar thing; overloading of semantics of IP address will probably be a bad thing. IEN 1 (29 July 1977), section 3 about addressing notes physical vs logical addressing cause issues if you want them to move, or be multiply connected. Lotes of wisdom also in other IENs. Layers are entangled app layer FQDN or IP transport IP plus port network IP interface IP lots of entanglements; problems for harmonizing the new requirements. Right now, we used extensions and additional boxes to tunnel and terminate connections. Looking to clean up those entanglements. ILNP supports app layer FQDN transport identifier (+port #) (not topologically based) network locator (topologically based) (interface) (dynamic mapping) ILNPv6 can be seen as set of extensions on IPv6 same packet format core routers don't need to change incrementally deployable backwards compatible with v6 split 128 IPv6 address 64-bit locator (network) name 64-bit identifier (I) node name can be squished into v4 as well. IPv6 address modifications take same address structure, same syntax and semantics for locator. For identifier, for node itself, bits only acted on by end system itself. End systems need to be modified to know to split the address space into two parts. Locator is topologically significant names a subnetwork used only for routing and forwarding in core Identifier not topologically significant names a logical/virtual/physical node does not name an interface upper layer protocols bind only to identiier Locator can change value during lifetime of a transport sessoin multiple locators can be used simultaneously. Identifier cannot change during lifetime of a transport session. No free lunch; it requires more use of DNS. identifier ID names a node Locatore L64 names a subnet etc. Development options simulation--good control, high scalability Emulation use of overlay network is feasible masters student, 2009, some caveats Testbed in progress DNS support--not new, but explicit in ILNPv6 new RR+zero TTL for some DNS records secure Dyn Update for locator changes renumbering plus address management at sites no globally routeable identifier Comparison with LISP: LISP: customer focused, practically-directed engineering solution, aimed at controlling route table growth. ILNP focuses on fewer changes at network, more at end host. basicall, table focus on network changes for LISP, end host changes for ILNP Probably not deployable on v4 as it is. More information about it at ilnp.cs.st-andrews.co.uk Kevin Oberman, ESnet--first talk about improving IPv6, rather than just trying to get it up and runing. Michael Sinatra, UCB; what are thoughts around best practices for auth DNS server in ILNP world, and how do you handle updates for locator values to the auth servers when a link changes? A: you need DNSsec to be running, you make updates, you check authenticity of the update, etc. How will other networks know about the changes. Danny McPherson: updates in large distributed systems are challenging. Can he post data on TTLs, no caching, and what the implications were for the environment? He can't share the data, it was collected under data protection act in UK; they aren't allowed to share the data, but all he can share is the graphs. A high level would be fine. Dave Meyer: wanted opinion on one things; is locator identifier split the right way to scale? We're getting it built, and getting some pragmatic information about the system now. Some of the problems that become apparent when building weren't apparent to builders. If you do I/L split, you have to maintain the mapping of L to I; those are n-squared problems, fundamentally. You're trying to introduce robustness, but your're introducing complexity, which brings with it fragility. It's not rate*state; that was tony li, routing system. this is binding from locator to identifier binding; how do you know if it's any good? A: when setting up a session, you look up FQDN, get mapping of L/I pairing. What if the locator is dead, or not reachable for you? Host can't just iterate down to the next item if the SYN-ACK isn't received, the way it can with DNS. You have similar problems with locator moving midway through a conversation; no way to update the conversation with the new locator. And no way to signal the database that the locator is change. They're not far enough along to really benchmark and determine some of those cases, but it is good to be aware of them. You can still submit for lightning talks until 5pm, only one slot for them, due to having so much good content. Next up is Tom Scholl from nlayer Building a cheaper peering router actually, it's more about buying a cheaper router, and applying some routing tricks tscholl@nlayer.net No longer at the phone company, yay! Network infrastructure can be expensive! some companies don't mind spending a lot. One of the most common issues encountered when networks need peering upgrades are the router ports themselves if not for you, then for network you want to connect to no ports available, no power, no space, etc. price of non-revenue generating ports is an issue 10GE is standard for interconnection now many networks move away from SONET capable routers to ethernet routers peering routers are still significant expense many existing peering routers (edge) are running out of steam. Vendors have reacted to this need expensive core routers: GSR, J, T, etc. Cheap, but limited customer boxes: 6500s, etc. middle tier boxes: MX, 7600, etc. Ports are more reasonable. In the last few years, explosion of much cheaper and denser 10G datacenter boxes only datacenter optics, SFP+, no long reach lack large packet buffers outsourced ASICS some neat characteristics too small boxes with 48 10G port density ASR9k is EZchips MX is Marvell chips Could you put these cheaper boxes in service provider role? vendors say no. Limited FIB size internet is 330,000, boxes can do 12,000 Lack of QoS, maybe 4 queues per interface Lack decent software Access-lists/Packet filters Getting around FIB constraints separation of RIB vs FIB is critical RIB holds info from routing protocols (BGP, IGP) FIB holds final table used for forwarding packets Large RIB, lots of BGP peers RAM is cheap, even 1u boxes have a gig of RAM Just avoid installing all the RIB entries into the FIB How many people really use QoS in their networks? Most networks just transport bits across the internet People selling multi-services on converged network are Simple QoS features these devices have shouldn't be show stoppers. Lack of forwarding features driven by datacenter, cloud computing Support more modern protocols in datacenter TRILL, 1aq, MPLS VPNS, VPLS Packet filters critical to have some level of infrastructure protection on your edge; protect your edge, protect your customers At best, simple filters upto layer3, layer4 don't expect logging, policing, complex matching focus on filtering packets towards infrastructure, then blackhole elsewhere. Decent software cheap 1u/2u have really crappy code hip manufacturers don't know first thing about writing good software for routers not their area of expertise some vendors just ship the reference software most duplicate cisco at first grade level Other vendors modify existing OS to control 3rd party ASICs cisco, juniper, foundry/brocade, etc. OpenFlow project is particularly interesting here allows developers to write third party software to control the routers removes dependency on good code on the box itself. What's unique about this? pull off routing without a full table, rely on BGP unicast-label BGP Unicast-label is another BGP address-family, similar to unicast associates BGP update with a label; used mainly for MPLS signalling. So, take an EX4500 48x10G in 2u, 12kFIB, 1G DRAM hang it off something smart stub off core router assume core router has full core, 1U box handles links to peers, etc. establish IGP adjacencies; has to know how to recurse to loopbacks. need BGP next-hops vsiible pass IGP cost as MED BGP next-hop validation/reachability link-liveliness detection with rest of network well designed IGP should be small anyhow. Split RIB from FIB define what routes you want in FIB "forwarding-table export" policy on juniper what goes in FIB? directly connected interfaces IGP routes internal/customer routes match on BGP communities default-route pointing internally questionable--depends if you trust your peers. Bring up BGP internally utilize BGP Add-Paths alows you advertise mulitiple paths for the same prefix, not just best path new feature, very cool has significantly higher memory footprint, you control what routes you want to advertise duplicates of. Use BGP Unicast-label + MPLS to bypass lookups advertise each peer point-to-point into IBGP with a unicast label redistributing directly connected /30s only originantes implicit nulls, doesn't help you geneate a /32 static route of peers IP adddress with a next-hop of the peers /32 address generates a label per next-hop. When you learn routes from a peer/customer/transit, do not rewrite BGP next-hop-self advertise the true next-hop (/30) do lookup on label for forwarding You advertise unicast-labels upstream into your core, and then core has multiple prefixes mapped into the next-hop labels. Keep entire routing table off the little box, by using inner label to determine which interface the route goes out. That covers outbound traffic: What about inbound traffic? If your "internal routes" are larger than your FIB, you have to cheat. point default to upstream router can point to anycasted "full table" helpers If your internal routes are few, you can just put them in your FIB problem with default is you're at risk from someone pointing static routes or defaults at you. Does it really work? show route table mpls.0 seems like it works. The Marvell chip seems like it doesn't actually program them into the tables, in spite of accepting the commands. :( Almost there Most of the pieces are there to do this BGP Add-paths to give you multiple BGP path visibility RIB/FIB separation There is hope MPLS support should be coming in future Juniper EX models Other merchant silicon boxes should have some MPLS support hopefully within the next year don't expect great MPLS software implementations may need static LSPs routing protocol functionality might not all be there Juniper EX used as example, it gets routing part right. Open question is how these boxes handle MPLS ops; push/pop/swap Questions, comments, complaints: IM question: Nick at INEX: smaller boxes has shallow buffers; how will network behave on boxes with tiny buffers? Only thing you do there is operate in that manner, work within limitations, accept performance issues. Joel Jaeggli, he's been thinking about this on their EX box, awaiting some feature enhancements on the box; would allow using boxes that don't cost $15k per port to do it. In context of buffers--one of the biggest issue is draining from one 10G port to bunch of 1G ports; congruent edge seems to work better than mismatched sizes. As MPLS moves into datacenter, we'll see the boxes support more of the functionality we need. Scott Whyte, Google swhyte@google.com The open source LSR Open Source LSR: MPLS label switching router Running OSPF, LDP for control plane Hardware Forwarding (4x1GE ports) Open Source Software AND Hardware Why build one? Most of the parts already exist if the parts are already there, why not put them together. create community involvement help bootstrap other people to work on it enable interesting network research hardware was usually the stopper there have been other open source routers in the past; they couldn't do things at line rate, handle small packets, etc. Components NetFPGA OpenFlow both hosted by stanford mpls-linux quagga-ldp LSP Synchronizer one piece to tie it all together. NetFPGA research project, hosted by Stanford. line-rate open network research in hardware Virtex-III FPGA associated memory PCI card 4 ge PHYs SATA links out back, to connect 2 together to get 8Gb of throughput. OpenFlow also hosted by Stanford. Enable research and existing protocols to coexist on same networks Programming flow table with OpenFlow OpenFlow Controller (smarts live, makes forwarding decision) OpenFlow wire protocol flows to switch OpenFlow kernel module for linux (does HAL, hands to FPGA driver NetFPGA driver programs chips on Hardware MPLS OpenFLOW is code based modified to support push/pop/swap operations. They dropped OpenFLow controller out, and just had the kernel module handle updates, and program HAL into FPGA driver inputs are tuples; flow you want, action to take. match on some MPLS label, action is to swap and forward. If a packet for host is received, it fails the hardware match, goes into kernel path (makes netFPGA look like a NIC to the kernel, goes up to kernel like normal.) mpls-linux patches for kernel 1.6.32.16 source for building MPLS kernel modules; kernel structures now understand MPLS primatives Patches for iproute2 updated 'ip' command new 'mpls' command components: quagga-ldp standard quagga provides OSPF project adds LDP support LDP parameters used: downstream unsolicited liberal retention ordered control LSP Synchronizer quagga provides: labels via ldpd kernel FIB updates via zebrad OpenFlow provides: FIB programming on netFPGA LSP synch has to: scan kernel LFIB compare to FIB on netFPGA if out of synch, provide updates to it. netFPGA OpenFlow module, talks to dpctl in kernel module also NetFPGA driver can talk to OSPF and LDP as well. Software vs hardware forwarding simple test bidirectional throughput 68 bytes and 1504 byte packets Software, kernel only doing 30Mbps at 68 bytes, vs full gig at hardware. Next up, verify control plane. 3 LSRs, Juniper M10, Redback as edges OSPF, LDP on all devices were able to distribute lables between all 3 implementations, ping to their hearts content. Use LSR core, form iBGP between Juniper M10s, simulate full BGP table, could be used in BGP free core. He focused on LSR, doing swapping only. Could support pop/push primatives, to make it an LER as well. Future work near-term bugfixes 64-bit linux kernel port to BSD RSVP-TE support in Quagga 10G netFPGA card medium term centralized control plane via an openflow controller look at how to build a small network using devices with external controller. BGP-free core design based on open-source LSRs inexpensive, scales in data plane http://code.google.com/p/opensource-lsr/ Can get it working up to hardware point without netFPGA card. repos are listed on the slide deck as well. The more support we can get directly, that would be wonderful. Thanks to Jonathan Ellithorpe, Stephen Stuart, and others for their support on this project. Danny McPherson: people have looked at openflow to reduce traffic through virtual systems with hypervisor, link layer traffic that doesn't really need to be there, did he consider this for that purpose? A: no, that really wasn't something he was thinking about when working on this. There's an openflow track this afternoon, if you want to know more about it. LUNCH now; thanks to Nokia for the coffee break this morning; we're back at 1430 hours; if you're not sure where to go, there's a link, or to tie.telx.com/nanog/ for info. Good panel this afternoon about the TRILL and SPB.