[c-nsp] Hiding MPLS L3VPN hops from the CE

Gert Doering gert at greenie.muc.de
Tue Aug 24 17:15:43 EDT 2010


Hi,

On Tue, Aug 24, 2010 at 02:38:03PM -0500, Justin Shore wrote:
> On 8/22/2010 6:31 AM, Peter Hicks wrote:
> >Just out of interest - is this for marketing reasons, or technical?
> 
> At my ISP it was for security reasons.  Our infrastructure was privately 
> addressed to limit exposure to the outside world.  In theory, a true 
> MPLS P core is analogous to a pure L2 switching core.  There's no reason 
> for anyone to ever know that those hops even exist.  

Just to add a contrary point of view.  One of our uplinks is operating a
global MPLS network.  If we do a traceroute somewhere that's passing 
via that uplink, we see their edge router facing us, and then we see 
the first router "behind" their network.

We had a few issues with packet loss on certain paths, sometimes up to
50% over the course of *weeks*, which hinted at a defective or overloaded 
link "somewhere".  In one specific case, we had symmetric mtrs, proving 
that the problem was in their network - but due to the MPLS topology 
hiding, we could not further pinpoint it.  It was "somewhere between 
Frankfurt/DE and Los Angeles/US".

We opened a ticket, their support did a one-time ping, saw no loss,
closed the ticket.  We tried yelling at our account manager for a while,
but gave up after getting nowhere - and the ISP at the far end just
terminated their contract with this transit ISP, solving the problem
for us as well...  and when our contract is due for renewal, this will 
be one of the factors affecting decisions.

So - *if* you do topology hiding, taking away network diagnosis 
capabilities from those of your customers that know how to read "mtr"
output - *then* make sure that your own network monitoring is really
up to speed, and that you notice if links are overloaded, have packet
loss, etc. etc.

I don't really want to start a heated debate on whether topology hiding
is good or bad - but it comes with some consequences :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100824/55b22455/attachment.bin>


More information about the cisco-nsp mailing list