New vyatta-nsp list

Brent Jones brent at servuhome.net
Tue May 24 18:50:45 CDT 2011


On Tue, May 24, 2011 at 2:54 PM, Jon Bane <jon at nnbfn.net> wrote:
> On Tue, May 24, 2011 at 5:26 PM, Brent Jones <brent at servuhome.net> wrote:
>>
>>
>> Well, with the new Juniper entry level MX devices out now, the cost
>> difference between Vyatta and Juniper is probably insignificant now,
>> and with Juniper devices, you have much higher PPS rate.
>>
>> Granted, I have Vyatta devices now doing BGP, and they work fine, but
>> you can't argue that ASICs can forward much faster than a general
>> purpose CPU  :)
>>
>> To each their own
>>
>> --
>> Brent Jones
>> brent at servuhome.net
>>
>>
> I won't argue that an ASIC isn't faster, but it is hard to argue that Vyatta
> isn't capable of high-end performance.
>
> http://download.intel.com/embedded/processor/solutionbrief/322973.pdf
>

The graphs show near 100% CPU usage at small packet sizes, and low
PPS. That would lead to a pretty easy to launch DDoS against a
software based router platform.
Since there isn't a separation between control plane/forwarding plane,
an attacker could trivially take you offline. I'd imagine due to the
nature of x86 platform, being interrupt based and forwarding table
residing in memory the CPU has to access, theres a finite amount you
can scale this without risking big disruptions from a relatively small
DDoS.

Not saying software platforms can't achieve good throughput, there has
to be a realization of the limits of the platform, and when it
shouldn't be used.
Again, I personally use the Vyatta commercial software, and it works
great, so I'm not knocking it. But I wouldn't consider it high-end
performance when a few million PPS can lead to service disruptions.

-- 
Brent Jones
brent at servuhome.net




More information about the NANOG mailing list