vyatta for bgp
millnert at gmail.com
Mon Sep 12 21:36:54 UTC 2011
On Mon, Sep 12, 2011 at 11:13 PM, Brent Jones <brent at servuhome.net> wrote:
> Lots of devices can have trouble if you direct high PPS to the control
> plane, and will exhibit performance degradation, leading up to a DoS
> That isn't limited to software based routers at all, it will impact
> dedicated ASICs. Vendors put together solutions for this, to protect
> the router itself/control plane, whether its a software based routed
> or ASICs.
> Now if this was a Microtik with an 1Ghz Intel Atom CPU, sure, lots of
> things could take that thing offline, even funny looks. But a modern,
> multi-core/multi-thread system with multi-queued NICs will handle
> hundreds of thousands of PPS directed to the router itself before
> having issues, of nearly any packet size.
> A high end ASIC can handle millions/tens of millions PPS, but directed
> to the control plane (which is often a general purpose CPU as well,
> Intel or PowerPC), probably not in most scenarios.
> I think its very fair for a small/medium sized organization to run
> software based routers, Vyatta included.
Speaking of Mikrotik there, I recently pushed 350kpps small packets
through an x86 routeros image running under kvm (using vt-d for nic)
on my desktop machine (which is a number i seem to run into more than
once when it comes to linux/linux-derivative forwarding on single
queue & core). I saw a release note claiming their next sw release
will do 15-20% more on both mips and x86. Unsurprisingly is open
source software forwarding very far from 10G linerate of small pps
through single cpu core still.
350kpps of 64B packets is of course merely 180 Mbps (notably, actually
sufficient for handling incoming small packets on a 100 Mbps uplink).
Re adversaries or random scum filling your uplinks with useless bits,
I think I hear the largest DDoS'es now have filled 100G links, so..
don't make yourself a packeting target if you happen to run smaller
links than that? :)
Generally on staying alive through DDoS by anything else than some
degree of luck, I guess having more bandwith between your network and
your peers than what your peers all have to their peers is advised
(the statement could possibly be improved upon using some minimum cut
graph theory language).
More information about the NANOG