Advice requested for OpenBSD vs. Linux/OpenBGP vs. Quagga router deployment.

Beat Vontobel b.vontobel at meteonews.ch
Thu Dec 18 07:55:14 CST 2008


Hi Marc,

> I saw from previous email that Quagga was recommended as opposed to  
> OpenBGP.  Any further comments on that?  Also,  any comments on the  
> choice of OpenBSD vs. Linux?
>
> I don't want to start a religious war :-) Just curious about what  
> most folks are doing and what their experiences have been.

We run a similar setup since about a year. I also don't want to start  
a "religious war" (being a happy user of both Linux and OpenBSD, for  
different purposes), but in this scenario my decision was quick and  
clear:

I went for OpenBSD with OpenBGPD, consistent with my experience  
throughout the last few years, that for the basic, "hidden" (from end  
user perspective) network services (routing, firewalling, DHCP, DNS…)  
OpenBSD never let me down and saved me a _lot_ of time and hassle as  
an admin (doing this stuff with Linux before). And admin time is often  
more valuable than that of one or two CPU cycles… (and as long as I  
get the throughput I demand plus a large enough margin I really don't  
care about those).

My basic rule of thumb now is (and I'm just pragmatic, not religious):  
If I can get away with the base installation of OpenBSD for a service,  
I really give it the first try. So for OpenBGPD. It was also the  
documentation, the clean design and the usability (okay, that's really  
personal taste, but I really got to love the OpenBSD config file  
style) that helped with that decision. And from my perspective, it  
really was the right one: The setup just works, right from the  
beginning. Flawless. With both Junipers and Ciscos as neighbors.

> We are planning to run two OpenBSD based firewalls (with CARP and  
> pf) running OpenBGP in order to connect to the two ISPs.

Just one thing independent of the OpenBSD vs. Linux question:  
Depending on the complexity of your setup and maybe also for a cleaner  
design and possibly additional layers of security, I'd recommend to  
think about separating the "pure" firewalls from the BGP stuff. I do  
have three OpenBGPD boxes towards the Internet as our BGP peers plus  
two redundant pairs of OpenBSD carp/pf boxes towards different  
internal networks and DMZs. Between the OpenBGPD and the carp/pf boxes  
is our "backbone".

I experimented with a setup as you describe it (many different BGP/ 
router/firewalling roles combined on one pair of OpenBSD boxes) first,  
but soon realized that (while perfectly okay for a simple setup) as  
soon as you get more and more specialized requirements, things tend to  
get unneccessarily complicated and you're probably better of with  
dedicated boxes (if not for performance reasons, then still for the  
design).

Best regards,
Beat Vontobel

-- 

Beat Vontobel, CTO, MeteoNews AG

Siewerdtstr. 105, CH-8050 Zurich, Switzerland

E-Mail: b.vontobel at meteonews.ch
IT Department: +41 (0)43 288 40 54
Main phone: +41 (0)43 288 40 50








More information about the NANOG mailing list