
Smaug, the brand new OVHcloud backbone network infrastructure - sm2i
https://www.ovh.com/blog/smaug-the-brand-new-ovhcloud-backbone-network-infrastructure/
======
eric4smith
OVH Hardware, support and pricing is GREAT! Buuuuutttttt...

Their firewall situation is not. Guess what, if you use the supplied firewall,
any server from any other customer in the local NOC that your server is in,
can connect to your server. They seem to be all "safely" behind the OVH
firewall product.

You have to protect each server individually with its own in-machine firewall.

I don't want to automatically trust all other OVH customers.

At first I thought I was doing something wrong (more than a decade of setting
up firewalls). But I did put in a support ticket and they confirmed this.

Maybe I'm wrong, maybe something I did not understand, but damn... If I'm
not.... :-(

~~~
Avamander
> You have to protect each server individually with its own in-machine
> firewall.

That's the standard practice?

OVH's own firewall is for DDoS/DoS protection, not for fine-grained security,
did I understand OVH's information incorrectly?

~~~
justinclift
Ouch. That probably means there's a metric shit tonne of VMs running Docker
with open ports in their data centres.

Saying that because (by default) Docker screws with firewall rules on the VM
when it starts up, to allow other hosts to communicate with the containers.

In other hosting environments, the workaround is to apply firewall rules to
your VMs using the hosting infrastructure capabilities. eg separate to the
iptables (etc) rules on each host

------
cerberusgr
I had the worst experience from a vps/dedicated hosting provider with OVH few
years back, long story short I had a dedicated server with software raid,
after a month, one of the disks failed I gave them all the details SN of the
disk at fault etc, but apparently the removed the good disk and I lost the
server, I asked them to put it back and they told me they had destroyed it,
luckily I had backup. Lastly I asked for a refund they didn’t give anything
back.

I moved to hetzner immediately, and I haven’t had such issues till today.

I know that you can’t expect much from cheap providers but OVH is extremely
unprofessional in my experience.

~~~
imperialdrive
Amazon did about the same exact thing to me a while back, so you're not alone
and it's not just cheap hosts that make that mistake as we spent 10k/mo on
support alone. (AWS had EBS silently fail which is awful enough but then
restored data from the 'bad leg' of the system and lost all. To this day I've
never trusted them again - maybe I should get over it but, would you?

~~~
jjeaff
I can't imagine that any of the ebs recovery isn't fully automated now, if it
wasn't then.

------
rubatuga
Notice how there’s no info on IPv6. That’s because OVH has horrible support
for IPv6 and requires non standard routes to be set because they don’t support
router advertisements. They also rely on ND packets and not static routing for
IPv6, and also block outgoing IPv6 packets if an incoming IPv6 address has not
been established. I would avoid OVH.

~~~
stingraycharles
You’re being downvoted, but a hosting provider redesigning their core network
infrastructure in 2020 without proper IPv6 support is really bad imho.

It’s unacceptable that all these (cloud) hosting providers collectively make
ISPs look _good_.

------
jermier
I miss OVH's old control panel. It was so nerdy and to-the-point, unlike their
newer modern interface that heats up my CPU with boatloads of javascript, and
adopts the 'flat' design pattern that has now permeated every site in
existence.

~~~
jmnicolas
Yeah it seems every time I log in something has changed ...

------
netman21
What they describe sounds to me exactly like standard architecture for
combining PoPs and peering with backbone providers. What am I missing?

~~~
cerberusgr
Nothing really, they were on worse designs for years and they came to a point
that it couldn’t scale, so they had to come up with a new proper design

------
johnklos
OVH is an absolutely shitty company. I've seen a tremendous uptick of spam
from OVH that they're happy to simply ignore. The same kind of spam using the
same content, the same registration patterns and the same template have
existed on their networks for many months in spite of constant abuse
complaints.

I can't imagine why anyone would want to run anything on the same networks
that OVH uses to host spammers and scammers.

And good luck talking to an actual human at OVH if something goes wrong.

------
sm2i
and their APAC backbone:
[http://weathermap.ovh.net/#apac](http://weathermap.ovh.net/#apac) with
Singapore somewhat migrated to the new architecture

------
justinclift
Just a reminder, from Wikipedia
([https://en.wikipedia.org/wiki/OVH#Email_spam](https://en.wikipedia.org/wiki/OVH#Email_spam)):

    
    
      As of November 2019, OVH is listed by The Spamhaus Project as the world's
      second worst Internet service provider for the proliferation of unsolicited bulk E-Mail
    

[https://www.spamhaus.org/sbl/listings/ovh.net](https://www.spamhaus.org/sbl/listings/ovh.net)

Looking at the same list now, it recently seems to have added fraud, and many
malware distribution entries too.

~~~
r1ch
This is like saying Google is the search engine with the most links to malware
pages. 36 IPs is nothing given how big ovh is.

~~~
justinclift
Those entries aren't all singular IP addresses. Some are ranges (etc).

Picking one at random:

[https://www.spamhaus.org/sbl/query/SBL492369](https://www.spamhaus.org/sbl/query/SBL492369)

That's showing a fair number of IPs.

