Vyatta as a BRAS

Lamar Owen lowen at pari.edu
Tue Jul 13 17:29:15 CDT 2010


On Tuesday, July 13, 2010 12:31:25 pm Christian Chapman wrote:
> >> Sorry, it's software running those ASIC's and FPGA's, even at that level
> Sorry ..Its a clock that runs ASIC's and FPGA's
> HDL is simply used to describe functionality before synthesis tools 
> translate the design into real hardware (gates and wires)

I missed an 'on' in my sentence; should have read '...software running ON those ASIC's and FPGA's....'  My apologies for the error, which completely changed the meaning of my statement.  

A perusal of Cisco's own documentation for one of their 'hardware' forwarding engines, the PXF used in the 10k edge services router and others, shows that even with the Toaster ASIC (looking at a pair right now on an older PRE1 for uBR10K) and its associated memory, you have something running its own software doing the work.  Cisco's own documentation describes PXF in these words: "Each of the coprocessors in a PXF network processor is an independent, high-performance processor, customized for packet processing. Each processor, called an Express Micro Controller (XMC), provides a sophisticated dual-instruction-issue execution unit, with a variety of special instructions designed to execute packet-processing tasks efficiently."  

Instruction issue?  Execution unit?  Special instructions?  Sounds like a software-driven processor to me.  Specialized software instruction set, yes.  True hardware forwarding, no software involvement?  No.  More like asymmetrical multiprocessing software routing.  Call it hardware accelerated if you like; PXF is to networking as a nVidia GeForce GPU is to graphics.

Now, if we're talking directed attacks at the control plane.... well, COPP exists for a reason in Cisco-land.  Tarpits and other techniques (too bad nVidia's ActiveArmor firewall inside their nForce chipset's NIC's is so broken), including transparent layer 2 stateful inspection firewalling (easily doable with Linux iptables and bridging), can do the same for a single-core router.  

Now to, as Emeril would say, kick it up a notch, you're going to have a very hard time DoS'ing twenty-four Phenom II cores (four sockets, six cores per socket), though (which will likely set you back less than a midrange Cisco router).  I could see Vyatta on 24 Phenom II cores having blistering and nearly DoS-proof performance, for about what accelerated forwarding platforms cost.  When the developers of software forwarding engines figure out how to leverage vector processing (SSE and similar, as well as nVidia's CUDA) to do packet forwarding, we're going to see commodity OS network routing performance hit another level. 

But specialized network processors don't always guarantee the great scalability that can be obtained with the technique.  Catalyst 8540 anyone? (I have several, and use a few in production; great boxes for raw IPv4 routing, but not at the edge, although in theory they should have been DoS-proof, since they're already switching worst-case packet sizes on the shared memory fabric at wire speed; their control plane was their weakest link).

Dedicated network coprocessors can be a good thing, but they're still software-based (even in the Catalyst 8540's case).




More information about the NANOG mailing list