nanog mailing list archives
Re: vyatta for bgp
From: Martin Millnert <millnert () gmail com>
Date: Mon, 12 Sep 2011 23:36:54 +0200
Brent, On Mon, Sep 12, 2011 at 11:13 PM, Brent Jones <brent () servuhome net> wrote:
Lots of devices can have trouble if you direct high PPS to the control plane, and will exhibit performance degradation, leading up to a DoS eventually. That isn't limited to software based routers at all, it will impact dedicated ASICs. Vendors put together solutions for this, to protect the router itself/control plane, whether its a software based routed or ASICs. Now if this was a Microtik with an 1Ghz Intel Atom CPU, sure, lots of things could take that thing offline, even funny looks. But a modern, multi-core/multi-thread system with multi-queued NICs will handle hundreds of thousands of PPS directed to the router itself before having issues, of nearly any packet size. A high end ASIC can handle millions/tens of millions PPS, but directed to the control plane (which is often a general purpose CPU as well, Intel or PowerPC), probably not in most scenarios. I think its very fair for a small/medium sized organization to run software based routers, Vyatta included.
Speaking of Mikrotik there, I recently pushed 350kpps small packets through an x86 routeros image running under kvm (using vt-d for nic) on my desktop machine (which is a number i seem to run into more than once when it comes to linux/linux-derivative forwarding on single queue & core). I saw a release note claiming their next sw release will do 15-20% more on both mips and x86. Unsurprisingly is open source software forwarding very far from 10G linerate of small pps through single cpu core still. 350kpps of 64B packets is of course merely 180 Mbps (notably, actually sufficient for handling incoming small packets on a 100 Mbps uplink). Re adversaries or random scum filling your uplinks with useless bits, I think I hear the largest DDoS'es now have filled 100G links, so.. don't make yourself a packeting target if you happen to run smaller links than that? :) Generally on staying alive through DDoS by anything else than some degree of luck, I guess having more bandwith between your network and your peers than what your peers all have to their peers is advised (the statement could possibly be improved upon using some minimum cut graph theory language). Best, Martin
Current thread:
- Re: vyatta for bgp, (continued)
- Re: vyatta for bgp fredrik danerklint (Sep 12)
- RE: vyatta for bgp Michael K. Smith - Adhost (Sep 12)
- Re: vyatta for bgp Nick Hilliard (Sep 12)
- Re: vyatta for bgp Owen DeLong (Sep 12)
- Re: vyatta for bgp Dobbins, Roland (Sep 12)
- Re: vyatta for bgp Valdis . Kletnieks (Sep 12)
- Re: vyatta for bgp Everton Marques (Sep 12)
- Re: vyatta for bgp Dobbins, Roland (Sep 12)
- Re: vyatta for bgp Brent Jones (Sep 12)
- Re: vyatta for bgp Dobbins, Roland (Sep 12)
- Re: vyatta for bgp Martin Millnert (Sep 12)
- Re: vyatta for bgp Tony Varriale (Sep 12)
- Re: vyatta for bgp Nick Hilliard (Sep 12)
- Re: vyatta for bgp Valdis . Kletnieks (Sep 13)
- Re: vyatta for bgp Jimmy Hess (Sep 12)
- Re: vyatta for bgp Valdis . Kletnieks (Sep 13)
- Re: vyatta for bgp Dobbins, Roland (Sep 12)
- Re: vyatta for bgp Dobbins, Roland (Sep 12)
- RE: vyatta for bgp Deepak Jain (Sep 13)