New vyatta-nsp list
Brent Jones
brent at servuhome.net
Tue May 24 23:50:45 UTC 2011
On Tue, May 24, 2011 at 2:54 PM, Jon Bane <jon at nnbfn.net> wrote:
> On Tue, May 24, 2011 at 5:26 PM, Brent Jones <brent at servuhome.net> wrote:
>>
>>
>> Well, with the new Juniper entry level MX devices out now, the cost
>> difference between Vyatta and Juniper is probably insignificant now,
>> and with Juniper devices, you have much higher PPS rate.
>>
>> Granted, I have Vyatta devices now doing BGP, and they work fine, but
>> you can't argue that ASICs can forward much faster than a general
>> purpose CPU :)
>>
>> To each their own
>>
>> --
>> Brent Jones
>> brent at servuhome.net
>>
>>
> I won't argue that an ASIC isn't faster, but it is hard to argue that Vyatta
> isn't capable of high-end performance.
>
> http://download.intel.com/embedded/processor/solutionbrief/322973.pdf
>
The graphs show near 100% CPU usage at small packet sizes, and low
PPS. That would lead to a pretty easy to launch DDoS against a
software based router platform.
Since there isn't a separation between control plane/forwarding plane,
an attacker could trivially take you offline. I'd imagine due to the
nature of x86 platform, being interrupt based and forwarding table
residing in memory the CPU has to access, theres a finite amount you
can scale this without risking big disruptions from a relatively small
DDoS.
Not saying software platforms can't achieve good throughput, there has
to be a realization of the limits of the platform, and when it
shouldn't be used.
Again, I personally use the Vyatta commercial software, and it works
great, so I'm not knocking it. But I wouldn't consider it high-end
performance when a few million PPS can lead to service disruptions.
--
Brent Jones
brent at servuhome.net
More information about the NANOG
mailing list