[140997] in North American Network Operators' Group
Re: New vyatta-nsp list
daemon@ATHENA.MIT.EDU (Joel Jaeggli)
Fri May 27 09:34:16 2011
From: Joel Jaeggli <joelja@bogus.com>
In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0C9E3439@RWC-EX1.corp.seven.com>
Date: Fri, 27 May 2011 03:30:38 -0700
To: George Bonser <gbonser@seven.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On May 24, 2011, at 7:52 PM, George Bonser wrote:
>> The graphs show near 100% CPU usage at small packet sizes, and low
>> PPS. That would lead to a pretty easy to launch DDoS against a
>> software based router platform.
>> Since there isn't a separation between control plane/forwarding =
plane,
>> an attacker could trivially take you offline. I'd imagine due to the
>> nature of x86 platform, being interrupt based and forwarding table
>> residing in memory the CPU has to access, theres a finite amount you
>> can scale this without risking big disruptions from a relatively =
small
>> DDoS.
>>=20
>> Not saying software platforms can't achieve good throughput, there =
has
>> to be a realization of the limits of the platform, and when it
>> shouldn't be used.
>> Again, I personally use the Vyatta commercial software, and it works
>> great, so I'm not knocking it. But I wouldn't consider it high-end
>> performance when a few million PPS can lead to service disruptions.
>>=20
>> --
>> Brent Jones
>> brent@servuhome.net
>=20
> Every tool has its use. Also, they have several different sized
> appliances. How much CPU use you get depends on how many cores you
> throw at the problem. They can use multiple cores/processors. The
> result given in one test might not match someone else's test if they
> have higher end hardware, maybe better than the appliances Vyatta =
ships.
It's actually rather hard with current pc hardware to get to multiple =
cores engaged in paralell per input interfaces. while you can plan for =
various cases the the one to account for is the small packet performance =
not overwhelming the capabilities of a single cpu core.
> But the primary point I am trying to make is if you have an office =
with
> sub-gigabit connectivity and you need NAT and firewalling and VPNs, it
> might be a very cost-effective solution. It might not be a good
> solution in a different environment. It is sort of like pointing out
> that your neighbor's Accord doesn't have the performance =
characteristics
> of a Ferrari but your neighbor only drives in rush hour on roads with =
a
> maximum speed of 65 MPH. The Ferrari would cost much more money, cost
> more to support over time, and not get him to work any faster.
>=20
> If one is never going to pass enough traffic to get anywhere near the
> maximum performance of the unit anyway, why spend so much more money?
> Besides, on most integrated firewall/NAT/VPN units I have used in the
> past, I have run them out of CPU from VPN and NAT long before they =
ever
> reached their maximum traffic throughput.
>=20
>=20
>=20
>=20
