[Cerowrt-devel] Bufferbloat at upcoming LUG talk

Dave Taht dave.taht at gmail.com
Mon Nov 26 09:00:45 EST 2012 

On Mon, Nov 26, 2012 at 1:26 PM, Michael Richardson <mcr at sandelman.ca> wrote:
>
>>>>>> "Richard" == Richard Brown <richard.e.brown at dartware.com> writes:
>     Richard> - I can see how the CeroWrt de-bloating algorithms help
>     Richard> protect against bad latency when I'm *uploading* big
>     Richard> files. I'm not sure whether using CeroWrt with its
>     Richard> CoDel/FQ/SFQ/etc. helps when I'm downloading big files,
>     Richard> though. What can I say about this?
>
> If the link from the broadband to the laptop is wireless, than it's
> quite possible that the wireless link experiences bufferbloat.
> This would be true:
>      - if the laptop is far from the base station the rate could be
>        lower than the broadband download link. (Especially now that
>        cable offers 50Mb/s downlinks...)
>      - if the wireless is bridged to wired, and there are many windows
>        boxes, broadcasting a lot, then the wireless link may be
>        otherwise saturated

One point of the rrul tests are that netserver runs out of xinetd on
the router itself,
so it's possible to test wifi performance in the presence of multiple workloads.

 However, the overhead of running netserver on such a small box is too
extreme, presently. I hope to produce a simpler test that can, indeed,
work right on cerowrt, so you can easily diagnose the inside path on
your network.

You can certainly install netperf 2.6 or later on a heftier box,
locally on your network, and test wifi and wired that way.

>
> bad uplink latency will affect TCP ACKs, and can totally ruin your
> interactive ssh day too.

s/can/does

> But, in general, either the ISP has to debloat too, or it has to rate
> limit to below the actual bandwidth.

Rate limiting below the ISP's provided downlink-to-you bandwidth does
work, but tends to chop off 10-15% of what the ISP claims they are
providing.

>     Richard> - I believe the default DNS server in Sugarland is dnsmasq,
>     Richard> not bind. Is DNSSEC enabled by default? Also: there's a
>     Richard> report (Bug #411) that says that DNS is leaking internal
>     Richard> names to the outside world. What's the best advice for
>     Richard> closing this? ("list notinterface 'ge00'" is one
>     Richard> recommendation…)
>
> (In general, leaking names is really not that much of a worry...)

Names, no. Amplification attacks are a serious problem with DNS.

The internet is rife with worms and daemons that are leveraging open
dns servers to amplification attacks. In a few short weeks that macej
had left the port open,

http://www.bufferbloat.net/issues/411

"Having DNS open for a while made some evil forces notice it and use my IP
for DNS amplification attacks. I secured dnsmasq not to listen on ge00, but
I'm still getting over 300 UDP packets/s!"

I really hate having contributed to this problem with sugarland.
Nobody wants an extra 300 packets/s hitting their home network for any
reason. Please close this immediately upon installing sugarland.

I've tried very hard to respond to CVEs over the course of this
project (bind alone, had 5), but I'm away from the lab, in the middle
of a trip, in between a major upgrade of functionality to cerowrt and
trying to get funding to re-invigorate this project.

I haven't had much time to hack. None to test.

I would to get to where we had infrastructure to easily create, test,
and push out security related fixes.

>
>     Richard> My plan is to give a little of the science behind
>     Richard> bufferbloat mitigation and also put in a plug for
>     Richard> CeroWrt. Any topics I haven't already mentioned that I
>     Richard> should? Thanks!
>
> Use the fountain images that Van Jacobson used at IETF84.

In my own preso at the lincs, I used my coffee cup...

There is an interesting preso that shemminger is using that uses soda
bottles to do something similar to both concepts. Jamming holes into
it randomly to simulate red....

I may adopt this - however in explaining fq_codel, I think I need to
add multiple cups, and an eye-dropper for the ant packets.
>
> --
> ]       He who is tired of Weird Al is tired of life!           |  firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
> ] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
>    Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
>                        then sign the petition.
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

More information about the Cerowrt-devel mailing list