[127763] in North American Network Operators' Group
Re: Vyatta as a BRAS
daemon@ATHENA.MIT.EDU (Tony Li)
Tue Jul 13 16:26:59 2010
From: Tony Li <tony.li@tony.li>
In-Reply-To: <4C3CB8F1.6080703@foobar.org>
Date: Tue, 13 Jul 2010 13:26:29 -0700
To: Nick Hilliard <nick@foobar.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi folks,
On Jul 13, 2010, at 12:05 PM, Nick Hilliard wrote:
> I think Roland's point was that on "hardware routers", there is a
> separation of function between the control and the forwarding planes, =
and
> that the forwarding plane is designed to be able to transmit data in =
an
> efficient parallel manner. I.e. on a well-designed hardware router, =
if you
> trash the data path on the router through ingress A and egress B, the
> damage stops there: the control plane is unaffected and ingress C to =
egress
> D is also ok (for arbitrary values of C and D).
The key point here is one of design, not one of implementation =
technology. If you need a router that is robust against DoS attacks, =
then that's what you should buy. Such routers can be built from ASICs, =
CPUs, or even 7400 series TTL, if you work hard enough at it.
There is no meaningful distinction of 'hardware' or 'software'. All of =
the ASIC based systems embody processors of various flavors in the ASICs =
that are running forwarding software. And the difference between an =
ASIC and a CPU is not as much as you might think. Ok, ASICs typically =
don't go to full custom layout (tho some crazy people have done that) =
and are typically a few steps behind on the process technology curve. =
But this is not the fundamental issue.
The whole point about being DoS resistant is one of horsepower. To do =
DoS protection correctly, you need to be able to do packet examination =
at line rate. When there are packets destined for the router, they need =
to be classified appropriately, queued carefully and those queues need =
to be serviced in The Right Way (tm). If your system has the =
performance to do this in addition to the normal transit load on the =
system, then it's in pretty good shape.
Regards,
Tony
