scaling linux-based router hardware recommendations

Ray Soucy rps at
Thu Jan 29 21:56:27 UTC 2015

"For us, open source isn't just a business model; it's smart
engineering practice." -- Bruce Schneier

I hope I'm not the only one, but I think the NSA (and other state
actors) intentionally introducing systemic weaknesses or backdoors
into critical infrastructure is pretty ... reckless.  I really can't
figure out if it's arrogance or just plain naivety on their part, but
they seem pretty confident that the information won't ever fall into
the wrong hands and keep pushing forward.

So for me, this is an area I've very interested in seeing some progress.

I think most people don't realize that if you only care about 1G
performance levels, commodity hardware can be more than fine.  Linux
netfilter makes a really great firewall, and it's the most
peer-reviewed in the world.

On Wed, Jan 28, 2015 at 6:18 PM, Adrian Chadd <adrian at> wrote:
> [snip]
> To inject science into the discussion:
> And he maintains a test setup to check for performance regressions:
> Now, this is using the in-kernel stack, not netmap/pfring/etc that
> uses all the batching-y, stack-shallow-y implementations that the
> kernel currently doesn't have. But, there are people out there doing
> science on it and trying very hard to kick things along. The nice
> thing about what has come out of the DPDK related stuff is, well, the
> bar is set very high now. Now it's up to the open source groups to
> stop messing around and do something about it.
> If you're interested in more of this stuff, go poke Jim at pfsense/netgate.
> -adrian
> (This and RSS work is plainly in my "stuff I do for fun" category, btw.)

Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network

More information about the NANOG mailing list