Educause Security Discussion mailing list archives

Re: Changing ISP?

From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Wed, 4 Oct 2006 08:06:36 -0700

Hi John,

You asked a number of questions, including:

#3.     Also, is it sufficient to use a single ISP for redundancy if they
#give us separate local loops, via separate ILECs, into opposite ends of the
#campus, to separate COs?

It depends on the risks that you're trying to control.

If you're worried about backhoe fade on your local loop, having physical
redundancy for those local loops will help to control the risk of an outage
due to a local circuit outage.

However, redundancy for the local loop does not buy you redundancy for the
Internet transit component of the reliability equation.

You would hope that it wouldn't be necessary to have multiple upstream
commodity transit providers to obtain functional reliability, but general
past history and your recent specific experience gives lie to that,
and most people would prefer to have multiple upstream transit providers
if they can manage it.

#4.     Can anyone speak to setting up redundancy with separate ISPs and
#BGP?

You'll need an ASN for your institution, routing hardware sufficient
to handle more than just a default upstream route, network engineering
staff to help you configure it, and PI address space that you can announce.

You can see the checklist that Sprintlink supplies  for their customers at
http://www.sprintlink.net/policy/bgp.html

#We have not talked about cost with any ISPs but I imagine it would be much
#more affordable using a single ISP.    

It really depends on your business model and your connectivity
requirements, I think. Consider four scenarios:

-- You want maximum survivability, and good connectivity to all parts of
   the Internet, so you purchase capacity from two so-called "tier one"
   providers (such as Sprint and Level3). In each case, you purchase
   enough capacity so that even if you lose one provider, you have enough
   capacity on the other provider to allow you to carry all your traffic
   without congestion. This will be roughly 2X the cost of purchasing
   connectivity from a single provider, but survivability is good, and
   you've got some headroom for growth and unexpected load. If you can
   swing it, this is a nice play to be.

-- Money's an issue. You want survivability in case something goes wrong
   with an individual provider, but if you're buying from a top of the
   line provider, you're willing to assume than an outage (if one occurs),
   will be brief, and you just don't want to be COMPLETELY off the air
   during that time if that happens. In that case, you do something like
   buy a comfortably sized connection from the so-called tier one, but
   back it up with a (perhaps smaller) connection from a discount provider.
   Your capabilities are less, but so are your costs.

-- Money's *really* an issue. You decide to buy two connections from budget
   providers, each able to handle roughly half your aggregate traffic load.
   If you lose one, you have real problems with congestion (but maybe
   you plan to temporarily internally shed load by cranking down the rate
   limits on campus packet shapers or reducing the number of sessions on
   your streaming servers or whatever). Expect to spend a lot more time
   dinking around with this sort of a scenario, trying to make it work
   (and it may never really work well due to the inherent undersizing of
   the connections).

-- You decide that you want one primary connection to a so-called tier
   one provider, with a backup connection to a secondary provider that
   is normally quiescent unless the primary connection goes down. You
   may be able to arrange for that sort of backup or insurance connection
   at a fraction of the cost of a connection that's always live, but
   you'll always have the local loop costs, whether you end up using
   that second backup connection or not.

And obviously you could envision a lot of other possible scenarios as well,
including things like purchasing connectivity from a regional networking
consortia (such as NYSERnet in Utica's case). For smaller schools with
limited bandwidth requirements, this is often the best option of all (and
the NYSERnet guys are a great bunch of folks).

As you start thinking about multihoming, you should be aware that a lot
of issues can come up. To name just one, you should realize that traffic
may not naturally split on an even basis between two carriers, particularly
if one's a so-called tier one, and the other is a discount carrier.

Similarly, with multihoming, asymetric routing becomes a possibility (traffic
leaves via one path, but returns via the other), and that can sometimes be
interesting.

I guess the bottom line is that there's no free lunch.

#We are planning owning our next set of IP addresses.  I'm told there might
#be a chance that we could keep our current set.  We'll see.

http://www.arin.net/policy/nrpm.html will be an excellent background resource
for anyone interested in provider independent (portable) address space.

It looks Utica currently has 65.220.79/25, so I'm assuming you'd be
looking at getting a /22 pursuant to NRPM section 4.3.2.2.

Good luck with your project,

Regards,

Joe

Current thread:

Changing ISP? John Kaftan (Oct 04)
- <Possible follow-ups>
- Re: Changing ISP? Winders, Timothy A (Oct 04)
- Re: Changing ISP? Joe St Sauver (Oct 04)
- Re: Changing ISP? Graham Toal (Oct 04)
- Re: Changing ISP? Valdis Kletnieks (Oct 04)
- Re: Changing ISP? Samuel Young (Oct 04)
- Re: Changing ISP? John Kaftan (Oct 04)
- Re: Changing ISP? David Gillett (Oct 04)
- Re: Changing ISP? Graham Toal (Oct 04)
- Re: Changing ISP? Valdis Kletnieks (Oct 04)
- Re: Changing ISP? Samuel Young (Oct 04)
- Re: Changing ISP? Brian Friday (Oct 04)
- Re: Changing ISP? Rob Whalen (Oct 13)