[127839] in North American Network Operators' Group
Re: Vyatta as a BRAS
daemon@ATHENA.MIT.EDU (Lamar Owen)
Fri Jul 16 10:03:41 2010
Date: Fri, 16 Jul 2010 10:03:15 -0400
From: Lamar Owen <lowen@pari.edu>
To: nanog@nanog.org
In-Reply-To: <4C3F5246.8080606@bromirski.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thursday, July 15, 2010 02:24:06 pm =C5=81ukasz Bromirski wrote:
> (and I'm all for FreeBSD boxes, don't get me wrong, the whole point
> of this discussion is that either you're doing hardware forwarding
> and you're pretty safe [unfortunately often with a lot of caveats,
> but still], or you're doing software forwarding and you have
> a nice attack vector open for anyone willing)
This distills one of the points of view nicely.
An operationally useful question is to ask (yourself) at what point (band=
width- and type of traffic- speaking) does a particular box become vulner=
able? 10Mb/s? 100Mb/s? 1Gb/s? 100Gb/s? Traffic directed at the control p=
lane? Small packet traffic? Any traffic? =20
Any box; hardware-based or software-based is irrelevant, because at some d=
ata volume all boxes become vulnerable; the variance is only in what volu=
me the box can handle and how well the control plane is protected from th=
at volume. Test with reasonable traffic loads (and drawing on the collec=
tive wisdom of this group as to what is 'reasonable' for a BRAS is good!)=
, and derive conclusions that fit your need. Knowing these things allows y=
ou to scale your solution to avoid the majority of the problems and buy w=
hat fits your projected scale over the design life of the solution.=20
Take a 2003-vintage OSR7609 (Sup2/MSFC2) still running 12.1E. Definitely=
a hardware-based router. Does it have a nice attack vector? Perhaps. I=
s this combination still in use? I'm not sure I want to know (Sup2/MSFC2=
is, I know; the 12.1E part is the scary one).=20
Hardware-based is not a magic bullet that destroys attack vectors dead in=
their tracks (as =C5=81ukasz hints at with the parenthetical caveats rem=
ark). And software-based is not defenseless, either.
