Vyatta as a BRAS

Thu Jul 15 04:16:49 UTC 2010

----- Original Message ----- 
From: "Joe Greco" <jgreco at ns.sol.net>
To: "Dobbins, Roland" <rdobbins at arbor.net>
Cc: "NANOG list" <nanog at nanog.org>
Sent: Wednesday, July 14, 2010 7:03 PM
Subject: Re: Vyatta as a BRAS

>> On Jul 14, 2010, at 10:17 PM, Joe Greco wrote:
>>
>> > The truth is that you can keep throwing CPU at a problem as well.  I 
>> > can =
>> size a software based router such that it can remain available.
>>
>> Not against mpps, or even high kpps, you can't, unfortunately.
>
> Really?  I'm positive that I can, because I *have*, and other people
> *have*.  The sweet spot for protecting a 100Mbps circuit, in particular,
> moved from hardware to software about five years ago.  That simply means
> it's more cost-effective for a competent admin to spend some time to set
> up the box than it is to spend money on dedicated silicon that'll be
> obsolete in a few years, a fact that's conveniently ignored by a lot of
> the advocates of such solutions.  To drive the point home, FreeBSD based
> routers that we built in 2004 are able to cope with full routing tables
> and IPv6 *today*, at the same traffic levels they were designed for, and
> those particular qualities don't seem to be present in many of the
> hardware-based offerings of the era.  If and when they cease to be useful
> in that capacity, they can be trivially repurposed as firewalls or web
> servers or other similar tasks, because unlike the pricey purpose-built
> router hardware, there are advantages to general purpose hardware.
>
> Quite frankly, this is starting to be a little annoying.  Perhaps you
> could do some research, or find some competent admins and test a few well
> built setups yourself before you make any more disprovable claims.  My
> claims are not ridiculous and are not a figment of my imagination; I can
> point to many-years-old documented examples, such as
>
> http://lists.freebsd.org/pipermail/freebsd-net/2004-September/004840.html
>
> http://info.iet.unipi.it/~luigi/polling/
>
> These are tests of forwarding capabilities, true, but the reality is that
> the same sorts of things that make this possible make it relatively easy
> to support large numbers of packets directed "at the control plane", since
> the concept of the control plane isn't as separated in the FreeBSD 
> software
> model as it is in the hardware model.  As a result, a FreeBSD box can take
> and sink quite a bit of traffic.  Doing so does not cripple it.
>
> For giggles, I took two out-of-the-box FreeBSD 8.0 servers, twiddled
> *only* device polling to on, and started them running traffic at each
> other.  Both were sending north of 100Mbps (>>100Kpps) of traffic at
> the other, both when listening and when not, no problems, no crashes,
> no issues.  That doesn't sound too great until I reveal that I was
> lazy and it's only some excess capacity on a VMware box that's
> available to these two virtual servers.
>
>> > Software based platforms have an incredible edge in areas that hardware 
>> > b=
>> ased platforms don't, including capex and the ability to find replacement 
>> p=
>> arts after a disaster.
>>
>> I agree 100% with this, and with much of what you say.  My point is that 
>> at=
>>  the *edge* - like a BRAS, which is how this thread started - one must 
>> have=
>>  platforms which can be adequately protected against attack/abuse, and 
>> hard=
>> ware-based platforms are the only practical way to do that.
>
> In some cases, for some purposes, yes.  Otherwise, no.
>
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] 
> then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail 
> spam(CNN)
> With 24 million small businesses in the US alone, that's way too many 
> apples.
>

I briefly browsed the links and I didn't see any traffic profiles included.

If you are talking about pushing x mbps with no specifics and/or general 
traffic, I think most of us agree you can do that easily and probably 
consistently without any issues.  And for some icing, you may even do it at 
<90% average CPU util.  Does that mean it should be an edge device at any 
service provider?  No.  Some?  Sure.

Can you point to any specific tests of attack vectors and/or traffic 
profiles with: CPU utilization, packet loss levels and pps/mbps/etc data? 
The reason I ask is that Roland is in a specific business and has a specific 
point.

As a side, were those 2 VMs on the same box?  That traffic out on the wire? 
What's the traffic profile?

tv 