nanog mailing list archives
Re: Vyatta as a BRAS
From: Lamar Owen <lowen () pari edu>
Date: Fri, 16 Jul 2010 10:03:15 -0400
On Thursday, July 15, 2010 02:24:06 pm Łukasz Bromirski wrote:
(and I'm all for FreeBSD boxes, don't get me wrong, the whole point of this discussion is that either you're doing hardware forwarding and you're pretty safe [unfortunately often with a lot of caveats, but still], or you're doing software forwarding and you have a nice attack vector open for anyone willing)
This distills one of the points of view nicely. An operationally useful question is to ask (yourself) at what point (bandwidth- and type of traffic- speaking) does a particular box become vulnerable? 10Mb/s? 100Mb/s? 1Gb/s? 100Gb/s? Traffic directed at the control plane? Small packet traffic? Any traffic? Any box; hardware-based or software-based is irrelevant, because at some data volume all boxes become vulnerable; the variance is only in what volume the box can handle and how well the control plane is protected from that volume. Test with reasonable traffic loads (and drawing on the collective wisdom of this group as to what is 'reasonable' for a BRAS is good!), and derive conclusions that fit your need. Knowing these things allows you to scale your solution to avoid the majority of the problems and buy what fits your projected scale over the design life of the solution. Take a 2003-vintage OSR7609 (Sup2/MSFC2) still running 12.1E. Definitely a hardware-based router. Does it have a nice attack vector? Perhaps. Is this combination still in use? I'm not sure I want to know (Sup2/MSFC2 is, I know; the 12.1E part is the scary one). Hardware-based is not a magic bullet that destroys attack vectors dead in their tracks (as Łukasz hints at with the parenthetical caveats remark). And software-based is not defenseless, either.
Current thread:
- Re: Vyatta as a BRAS, (continued)
- Re: Vyatta as a BRAS Bill Bogstad (Jul 15)
- Re: Vyatta as a BRAS Cian Brennan (Jul 15)
- Re: Vyatta as a BRAS Dobbins, Roland (Jul 15)
- Re: Vyatta as a BRAS Joe Greco (Jul 15)
- Re: Vyatta as a BRAS Dobbins, Roland (Jul 15)
- A question for the house and the moderators (was Re: Vyatta as a BRAS) Larry Sheldon (Jul 15)
- Re: A question for the house and the moderators (was Re: Vyatta as a BRAS) Dobbins, Roland (Jul 15)
- A question for the house and the moderators (was Re: Vyatta as a BRAS) Larry Sheldon (Jul 15)
- RE: Vyatta as a BRAS Dennis Burgess (Jul 15)
- Re: Vyatta as a BRAS Łukasz Bromirski (Jul 15)
- Re: Vyatta as a BRAS Lamar Owen (Jul 16)
- Re: Vyatta as a BRAS Paul WALL (Jul 15)
- Re: Vyatta as a BRAS Jared Mauch (Jul 15)
- Re: Vyatta as a BRAS Henry Linneweh (Jul 15)
- Re: Vyatta as a BRAS Valdis . Kletnieks (Jul 16)
- Re: Vyatta as a BRAS Joe Greco (Jul 16)
- Re: Vyatta as a BRAS Tony Li (Jul 16)
- Re: Vyatta as a BRAS Joel Jaeggli (Jul 16)
- Re: Vyatta as a BRAS Matthew Kaufman (Jul 13)
- Re: Vyatta as a BRAS Dobbins, Roland (Jul 13)
- Re: Vyatta as a BRAS Valdis . Kletnieks (Jul 13)