On Thursday, July 15, 2010 02:24:06 pm Łukasz Bromirski wrote: > (and I'm all for FreeBSD boxes, don't get me wrong, the whole point > of this discussion is that either you're doing hardware forwarding > and you're pretty safe [unfortunately often with a lot of caveats, > but still], or you're doing software forwarding and you have > a nice attack vector open for anyone willing)
This distills one of the points of view nicely. An operationally useful question is to ask (yourself) at what point (bandwidth- and type of traffic- speaking) does a particular box become vulnerable? 10Mb/s? 100Mb/s? 1Gb/s? 100Gb/s? Traffic directed at the control plane? Small packet traffic? Any traffic? Any box; hardware-based or software-based is irrelevant, because at some data volume all boxes become vulnerable; the variance is only in what volume the box can handle and how well the control plane is protected from that volume. Test with reasonable traffic loads (and drawing on the collective wisdom of this group as to what is 'reasonable' for a BRAS is good!), and derive conclusions that fit your need. Knowing these things allows you to scale your solution to avoid the majority of the problems and buy what fits your projected scale over the design life of the solution. Take a 2003-vintage OSR7609 (Sup2/MSFC2) still running 12.1E. Definitely a hardware-based router. Does it have a nice attack vector? Perhaps. Is this combination still in use? I'm not sure I want to know (Sup2/MSFC2 is, I know; the 12.1E part is the scary one). Hardware-based is not a magic bullet that destroys attack vectors dead in their tracks (as Łukasz hints at with the parenthetical caveats remark). And software-based is not defenseless, either.
