The Making of a Router

Fri Dec 27 09:21:30 UTC 2013

On Fri, Dec 27, 2013 at 1:33 AM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Thu, 26 Dec 2013 11:16:53 -0800, Seth Mattinen said:
>> On 12/26/13, 9:24, Andrew D Kirch wrote:
>> >
>> > If he can afford a 10G link... he should be buying real gear...  I mean,
>> > look, I've got plenty of infrastructure horror stories, but lets not
>> > cobble together our own 10gbit solutions, please?  At least get one of
>> > the new microtik CCR's with a 10gig sfp+?  They're only a kilobuck... If
>> > you can't afford that I suggest you can't afford to be an ISP.
>>
>>
>> Unless all the money is going into the 10 gig link.
>
> If you've sunk so much into the 10G link (or anything else, for that matter)
> that you don't have a kilobuck to spare, you're probably undercapitalized to be
> an ISP.
>

I have issue with this line of thought. Granted, a router is built
with custom ASICs and most network people understand IOS. However,
this is where the benefit of a multi-thousand buck router ends. Most
have limited RAM, so this limits the size of your policies and how
many routes can be stored and the likes. With a computer with multi
10s or 100s of gigs of RAM, this really isn't an issue. Routers also
have slow-ish processors (which is fine for pure routing since they
are custom chips but) if you want to do packet inspection, this can
slow things down quite a bit. You could argue that this is the same
with iptables or pf. However, if you just offload the packets and
analyze generally boring packets with snort or bro or whatever,
packets flow as fast as they would without analysis. If you have
multiple VPNs, this can start to slow down a router whereas a computer
can generally keep up.

... And then there's the money issue. Sure, if you're buying a gig+
link, you should be able to afford a fully spec'd out router. However,
(in my experience) people don't order equipment with all features
enabled and when you find you need a feature, you have to put in a
request to buy it and then it takes a month (if you're lucky) for it
to be approved. This isn't the case if you use ipt/pf - if te feature
is there, it's there - use it.

And if a security flaw is found in a router, it might be fixed in the
next month... or not. With Linux/BSD, it'll be fixed within a few days
(at the most). And, if your support has expired on a router or the
router is EOL, you're screwed.

I think in the near future, processing packets with GPUs will become a
real thing which will make doing massive real time deep packet
inspection at 10G+ a real thing.

Granted, your network people knowing IOS when they're hired is a big
win for just ordering Cisco. But, I don't see that as a show stopper.
Stating the scope of what a box is supposed to be used for and not
putting endless crap on it might be another win for an actual router.
However, this is a people/business thing and not a technical issue.

Also, I'm approaching this as more of a question of the best tool for
the job vs pure economics - a server is generally going to be cheaper,
but I generally find a server nicer/easier to configure than a router.