[109969] in North American Network Operators' Group
Re: Advice requested for OpenBSD vs. Linux/OpenBGP vs. Quagga router
daemon@ATHENA.MIT.EDU (Beat Vontobel)
Thu Dec 18 08:55:35 2008
X-Envelope-From: b.vontobel@meteonews.ch
X-MDaemon-Deliver-To: nanog@nanog.org
From: Beat Vontobel <b.vontobel@meteonews.ch>
To: Marc Runkel <MRunkel@untangle.com>
In-Reply-To: <C56E78C7.873B%mrunkel@untangle.com>
Date: Thu, 18 Dec 2008 14:55:14 +0100
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hi Marc,
> I saw from previous email that Quagga was recommended as opposed to =20=
> OpenBGP. Any further comments on that? Also, any comments on the =20=
> choice of OpenBSD vs. Linux?
>
> I don't want to start a religious war :-) Just curious about what =20
> most folks are doing and what their experiences have been.
We run a similar setup since about a year. I also don't want to start =20=
a "religious war" (being a happy user of both Linux and OpenBSD, for =20
different purposes), but in this scenario my decision was quick and =20
clear:
I went for OpenBSD with OpenBGPD, consistent with my experience =20
throughout the last few years, that for the basic, "hidden" (from end =20=
user perspective) network services (routing, firewalling, DHCP, DNS=85) =20=
OpenBSD never let me down and saved me a _lot_ of time and hassle as =20
an admin (doing this stuff with Linux before). And admin time is often =20=
more valuable than that of one or two CPU cycles=85 (and as long as I =20=
get the throughput I demand plus a large enough margin I really don't =20=
care about those).
My basic rule of thumb now is (and I'm just pragmatic, not religious): =20=
If I can get away with the base installation of OpenBSD for a service, =20=
I really give it the first try. So for OpenBGPD. It was also the =20
documentation, the clean design and the usability (okay, that's really =20=
personal taste, but I really got to love the OpenBSD config file =20
style) that helped with that decision. And from my perspective, it =20
really was the right one: The setup just works, right from the =20
beginning. Flawless. With both Junipers and Ciscos as neighbors.
> We are planning to run two OpenBSD based firewalls (with CARP and =20
> pf) running OpenBGP in order to connect to the two ISPs.
Just one thing independent of the OpenBSD vs. Linux question: =20
Depending on the complexity of your setup and maybe also for a cleaner =20=
design and possibly additional layers of security, I'd recommend to =20
think about separating the "pure" firewalls from the BGP stuff. I do =20
have three OpenBGPD boxes towards the Internet as our BGP peers plus =20
two redundant pairs of OpenBSD carp/pf boxes towards different =20
internal networks and DMZs. Between the OpenBGPD and the carp/pf boxes =20=
is our "backbone".
I experimented with a setup as you describe it (many different BGP/=20
router/firewalling roles combined on one pair of OpenBSD boxes) first, =20=
but soon realized that (while perfectly okay for a simple setup) as =20
soon as you get more and more specialized requirements, things tend to =20=
get unneccessarily complicated and you're probably better of with =20
dedicated boxes (if not for performance reasons, then still for the =20
design).
Best regards,
Beat Vontobel
--=20
Beat Vontobel, CTO, MeteoNews AG
Siewerdtstr. 105, CH-8050 Zurich, Switzerland
E-Mail: b.vontobel@meteonews.ch
IT Department: +41 (0)43 288 40 54
Main phone: +41 (0)43 288 40 50
