New vyatta-nsp list

Joel Jaeggli joelja at bogus.com
Fri May 27 10:30:38 UTC 2011


On May 24, 2011, at 7:52 PM, George Bonser wrote:

>> The graphs show near 100% CPU usage at small packet sizes, and low
>> PPS. That would lead to a pretty easy to launch DDoS against a
>> software based router platform.
>> Since there isn't a separation between control plane/forwarding plane,
>> an attacker could trivially take you offline. I'd imagine due to the
>> nature of x86 platform, being interrupt based and forwarding table
>> residing in memory the CPU has to access, theres a finite amount you
>> can scale this without risking big disruptions from a relatively small
>> DDoS.
>> 
>> Not saying software platforms can't achieve good throughput, there has
>> to be a realization of the limits of the platform, and when it
>> shouldn't be used.
>> Again, I personally use the Vyatta commercial software, and it works
>> great, so I'm not knocking it. But I wouldn't consider it high-end
>> performance when a few million PPS can lead to service disruptions.
>> 
>> --
>> Brent Jones
>> brent at servuhome.net
> 
> Every tool has its use.  Also, they have several different sized
> appliances.   How much CPU use you get depends on how many cores you
> throw at the problem.  They can use multiple cores/processors.  The
> result given in one test might not match someone else's test if they
> have higher end hardware, maybe better than the appliances Vyatta ships.

It's actually rather hard with current pc hardware to get to multiple cores engaged in paralell per input interfaces. while you can plan for various cases the the one to account for is the small packet performance not overwhelming the capabilities of a single cpu core.

> But the primary point I am trying to make is if you have an office with
> sub-gigabit connectivity and you need NAT and firewalling and VPNs, it
> might be a very cost-effective solution.   It might not be a good
> solution in a different environment.  It is sort of like pointing out
> that your neighbor's Accord doesn't have the performance characteristics
> of a Ferrari but your neighbor only drives in rush hour on roads with a
> maximum speed of 65 MPH.  The Ferrari would cost much more money, cost
> more to support over time, and not get him to work any faster.
> 
> If one is never going to pass enough traffic to get anywhere near the
> maximum performance of the unit anyway, why spend so much more money?
> Besides, on most integrated firewall/NAT/VPN units I have used in the
> past, I have run them out of CPU from VPN and NAT long before they ever
> reached their maximum traffic throughput.
> 
> 
> 
> 





More information about the NANOG mailing list