vyatta for bgp

Does anybody currently use vyatta as a bgp router for their company? If
so have you ran into any problems with using that instead of a cisco or
juniper router?

The days of public-facing software-based routers were over years ago - you need an ASIC-based edge router, else you'll end up getting zorched.

The days of public-facing software-based routers were over years ago - you
need an ASIC-based edge router, else you'll end up getting zorched.

wait, what?

How do you come to this conclusion? I think a software-based router for enterprise level (let's say on the 1G per provider level) can handle a fair amount of zorching. I checked the Cisco and Juniper docs and neither vendor is anywhere near releasing their anit-zorching ASICs.

Mike

I presume by "a fair amount", I presume you mean "barely any"?

At large packet sizes, an "enterprise level" router will just about handle
a 1G DoS attack. Thing is, bandwidth DoS / DDoS is sufficiently easy to
pull off on a large scale that a 1G DoS is pretty easy.

Incidentally, most service providers use "enterprise level" as a by-word
for mediocre quality kit, lacking in both stability and useful features.

Nick

How do you come to this conclusion?

Unhappy experiences.

;>

I think a software-based router for enterprise level (let's say on the 1G per provider level) can handle a fair amount of zorching.

My experiences indicates otherwise, FWIW. It's very easy to packet a software-based router over a relatively small transit link in the mb/sec range, much less gb/sec - it happens all the time, FYI.

There was a bug where you couldn't use two IPv4 peers and then add IPv6. I
haven't tested the newest versions yet to see if it still exists. Works
great for two IPv4 peers.

In your typical enterprise environment, a 1G DoS will zorch the link long
before it zorches the router at the enterprise side.

I agree that software-based routers are not a good choice for a backbone
provider, but, for an enterprise that is dealing with <1gbps links coming
in from ≤3 providers, the difference in cost makes a software router an
attractive option in many cases.

Of course it is important to understand the limitations of the solution you
choose, but, in such an environment, a USD100,000+ ASIC based router
may be like trying to kill a mosquito with a sledge hammer.

Owen

This contradicts my experience - I've repeatedly witnessed only a few mb/sec of 64-byte packets making software-based routers fall over, including just last month.

On the flip side, there's a *lot* of sites that have to make trade-offs, and the
risk that their $10K software-based router may fall over doesn't justify adding
another zero to the price tag, especially if their network includes a lot of
branch offices that would all add another zero....

Yes, but mainly the former.

;>

Would Cisco ISR G2 3925E classify as software-based router?
Expected NDR performance is about 1845 pps (64-byte packets).
That should deliver room for some 100s of Mbps.
Do you expect it to bend itself down under a few Mbps of 64-byte packets?

http://www.anticisco.ru/pubs/ISR_G2_Perfomance.pdf

Everton

Would Cisco ISR G2 3925E classify as software-based router?

Yes.

Do you expect it to bend itself down under a few Mbps of 64-byte packets?

Especially if they're directed at the router itself, at some point, sure - though the ISR2 certainly has more horsepower than the original ISRs, and I've personally yet to witness an ISR2 being DDoSed, so I've no feel for the specific numbers. Features also play a role.

This isn't to say that the ISR2 isn't a fine router - but rather that one must be cognizant of performance envelopes prior to deployment in order to determine suitability to purpose. One can't reasonably expect vendors to exceed their design constraints in any type of equipment.

;>

One can and should test the specific performance envelope of any prospective infrastructure purchase, of course.

Lots of devices can have trouble if you direct high PPS to the control
plane, and will exhibit performance degradation, leading up to a DoS
eventually.
That isn't limited to software based routers at all, it will impact
dedicated ASICs. Vendors put together solutions for this, to protect
the router itself/control plane, whether its a software based routed
or ASICs.
Now if this was a Microtik with an 1Ghz Intel Atom CPU, sure, lots of
things could take that thing offline, even funny looks. But a modern,
multi-core/multi-thread system with multi-queued NICs will handle
hundreds of thousands of PPS directed to the router itself before
having issues, of nearly any packet size.
A high end ASIC can handle millions/tens of millions PPS, but directed
to the control plane (which is often a general purpose CPU as well,
Intel or PowerPC), probably not in most scenarios.

I think its very fair for a small/medium sized organization to run
software based routers, Vyatta included.

CoPP.

Brent,

Lots of devices can have trouble if you direct high PPS to the control
plane, and will exhibit performance degradation, leading up to a DoS
eventually.
That isn't limited to software based routers at all, it will impact
dedicated ASICs. Vendors put together solutions for this, to protect
the router itself/control plane, whether its a software based routed
or ASICs.
Now if this was a Microtik with an 1Ghz Intel Atom CPU, sure, lots of
things could take that thing offline, even funny looks. But a modern,
multi-core/multi-thread system with multi-queued NICs will handle
hundreds of thousands of PPS directed to the router itself before
having issues, of nearly any packet size.
A high end ASIC can handle millions/tens of millions PPS, but directed
to the control plane (which is often a general purpose CPU as well,
Intel or PowerPC), probably not in most scenarios.

I think its very fair for a small/medium sized organization to run
software based routers, Vyatta included.

Speaking of Mikrotik there, I recently pushed 350kpps small packets
through an x86 routeros image running under kvm (using vt-d for nic)
on my desktop machine (which is a number i seem to run into more than
once when it comes to linux/linux-derivative forwarding on single
queue & core). I saw a release note claiming their next sw release
will do 15-20% more on both mips and x86. Unsurprisingly is open
source software forwarding very far from 10G linerate of small pps
through single cpu core still.
350kpps of 64B packets is of course merely 180 Mbps (notably, actually
sufficient for handling incoming small packets on a 100 Mbps uplink).

Re adversaries or random scum filling your uplinks with useless bits,
I think I hear the largest DDoS'es now have filled 100G links, so..
don't make yourself a packeting target if you happen to run smaller
links than that?

Generally on staying alive through DDoS by anything else than some
degree of luck, I guess having more bandwith between your network and
your peers than what your peers all have to their peers is advised
(the statement could possibly be improved upon using some minimum cut
graph theory language).

Best,
Martin

In your typical enterprise environment, a 1G DoS will zorch the link long
before it zorches the router at the enterprise side.

It sure will, unless you have multiple 1G links into your router, in which
case the ddos will effectively trash all the links.

I agree that software-based routers are not a good choice for a backbone
provider, but, for an enterprise that is dealing with <1gbps links coming
in from ≤3 providers, the difference in cost makes a software router an
attractive option in many cases.

Of course it is important to understand the limitations of the solution you
choose, but, in such an environment, a USD100,000+ ASIC based router
may be like trying to kill a mosquito with a sledge hammer.

Indeed - as you implicitly point out, it's a cost / benefit thing. So then
the question becomes this: for the set of organisations which are large
enough to warrant multiple 1G upstreams, how long an outage can they
sustain before the price difference becomes worth it?

Let's throw some figures around (ridiculously simplified): a company has a
choice between a pair of $10k software routers or something like a pair of
MX80s for $25k each. So, one solution costs $20k; the other $50k. $30k
cost difference works out as $625 per month depreciation (4 year). I.e.
not going to affect the bottom line in any meaningful way.

Now say that this company has a DoS attack for 24h, and the company
effectively loses one day of revenue. On the basis that there are 260
office working days per year, the point at which spending an extra $30k for
a hardware router would be of net benefit to the company would be 260*30k =
$7.8m. I.e. if your annual revenue is higher than that, and if spending
that cash would mitigate against your DoS problems, then it would be worth
your while in terms of direct loss mitigation.

Of course, this analysis is quite simplistic and excludes things like
damage to reputation, online stores, the likelihood of DoS attacks
happening in the first place, the cost of transit and many other points of
reality. However, the point is that the break-even point for getting
serious horsepower for your transit requirements is surprisingly low once
you take into account the relationship between functional corporate
internet connectivity and either or both of corporate revenue and corporate
productivity.

It's extraordinary how much attention senior management starts paying when
everyone in the office starts twiddling their thumbs because connectivity
has been down for the day.

Nick

[snip]
How much "zorching" a software router can take depends on a lot of factors.
If the hardware necessary to size appropriately for the link is
economical and sufficient,
zorching is not the largest concern. 1G link speed and 100M link
speed offer very different
worst-case scenarios; the link can be zorched long before the router is.

A software router running in a 32bit OS on an old Pentium 4 can take
a lot less zorching than a router running
on a server with 6-core 4Ghz CPUs, when interrupt coalescing is
present and utilized efficiently.

Hardware basic routers have a lower forwarding latency, which makes
them more suitable for
ISP/carrier networks, the "hop delay" penalty is lower, and jitter
might be a concern on a router running
a non real-time OS such as a vanilla Linux kernel or other OS not
specially designed for the router task,
but there's otherwise nothing wrong with appropriately specc'ed
software forwarders.

One thing.. the OP was asking about anyone using Vyatta for BGP.
Using Vyatta for BGP doesn't necessarily mean the Vyatta unit is
actually a device
forwarding the packets... someone could be using it as a route server, or for
otherwise populating forwarding tables of other devices with
third-party next hops

+1

tv