nanog mailing list archives

Re: vyatta for bgp

From: Martin Millnert <millnert () gmail com>
Date: Mon, 12 Sep 2011 23:36:54 +0200

Brent,

On Mon, Sep 12, 2011 at 11:13 PM, Brent Jones <brent () servuhome net> wrote:

Lots of devices can have trouble if you direct high PPS to the control
plane, and will exhibit performance degradation, leading up to a DoS
eventually.
That isn't limited to software based routers at all, it will impact
dedicated ASICs. Vendors put together solutions for this, to protect
the router itself/control plane, whether its a software based routed
or ASICs.
Now if this was a Microtik with an 1Ghz Intel Atom CPU, sure, lots of
things could take that thing offline, even funny looks. But a modern,
multi-core/multi-thread system with multi-queued NICs will handle
hundreds of thousands of PPS directed to the router itself before
having issues, of nearly any packet size.
A high end ASIC can handle millions/tens of millions PPS, but directed
to the control plane (which is often a general purpose CPU as well,
Intel or PowerPC), probably not in most scenarios.

I think its very fair for a small/medium sized organization to run
software based routers, Vyatta included.


Speaking of Mikrotik there, I recently pushed 350kpps small packets
through an x86 routeros image running under kvm (using vt-d for nic)
on my desktop machine (which is a number i seem to run into more than
once when it comes to linux/linux-derivative forwarding on single
queue & core). I saw a release note claiming their next sw release
will do 15-20% more on both mips and x86. Unsurprisingly is open
source software forwarding very far from 10G linerate of small pps
through single cpu core still.
350kpps of 64B packets is of course merely 180 Mbps (notably, actually
sufficient for handling incoming small packets on a 100 Mbps uplink).

Re adversaries or random scum filling your uplinks with useless bits,
I think I hear the largest DDoS'es now have filled 100G links, so..
don't make yourself a packeting target if you happen to run smaller
links than that? :)

Generally on staying alive through DDoS by anything else than some
degree of luck, I guess having more bandwith between your network and
your peers than what your peers all have to their peers is advised
(the statement could possibly be improved upon using some minimum cut
graph theory language).

Best,
Martin

Current thread:

Re: vyatta for bgp, (continued)
- - Re: vyatta for bgp fredrik danerklint (Sep 12)
  - RE: vyatta for bgp Michael K. Smith - Adhost (Sep 12)
    - Re: vyatta for bgp Nick Hilliard (Sep 12)
    - Re: vyatta for bgp Owen DeLong (Sep 12)
    - Re: vyatta for bgp Dobbins, Roland (Sep 12)
    - Re: vyatta for bgp Valdis . Kletnieks (Sep 12)
    - Re: vyatta for bgp Everton Marques (Sep 12)
    - Re: vyatta for bgp Dobbins, Roland (Sep 12)
    - Re: vyatta for bgp Brent Jones (Sep 12)
    - Re: vyatta for bgp Dobbins, Roland (Sep 12)
    - Re: vyatta for bgp Martin Millnert (Sep 12)
    - Re: vyatta for bgp Tony Varriale (Sep 12)
    - Re: vyatta for bgp Nick Hilliard (Sep 12)
    - Re: vyatta for bgp Valdis . Kletnieks (Sep 13)
    - Re: vyatta for bgp Jimmy Hess (Sep 12)
    - Re: vyatta for bgp Valdis . Kletnieks (Sep 13)
    - Re: vyatta for bgp Dobbins, Roland (Sep 12)
  - RE: vyatta for bgp Chuck Church (Sep 12)
    - Re: vyatta for bgp Dobbins, Roland (Sep 12)
  - Re: vyatta for bgp Leo Bicknell (Sep 13)
    - RE: vyatta for bgp Deepak Jain (Sep 13)

(Thread continues...)