My comment would be:
That is simply matter of opinion and opinions may be swayed depending on the
market that signs your check? :)
There have been a fair share of appliance bugs/sec vulnerabilities over the
years as well.
I agree software-based deployments have their flaws but I do not agree t
On Jul 13, 2010, at 3:00 PM, wrote:
> I agree software-based deployments have their flaws but I do not agree that
> it cannot be managed securely with comparable or exceeding uptime -vs- a drop
> in appliance. I firmly believe it has it's place in 'today's internet'.
When a single botted/mis
Hi
I working on a solution to offload my current internet facing, and soon
to be backbone, routers from terminating IBGP sessions from aggregation
network routers. I currently have 4948s (pizza box version of the
cat4500) in place, mostly bridging traffic, but some routing (OSPF,
couple dozen SVIs
On the subject of route reflection, I've run into a few people happy with
Quaggo or openBGPd on intel hardware. You can throw a 1U box together with
dual PSUs, a bunch of ram, and SSD/CF disks for far less than a C or J setup
and won't be wasting money on ASICs you aren't using. If I recall correct
On 2010.07.13 10:06, Jack Carrozzo wrote:
> On the subject of route reflection, I've run into a few people happy with
> Quaggo or openBGPd on intel hardware. You can throw a 1U box together with
> dual PSUs, a bunch of ram, and SSD/CF disks for far less than a C or J setup
> and won't be wasting mo
On 13 Jul 2010, at 15:06, Jack Carrozzo wrote:
> On the subject of route reflection, I've run into a few people happy with
> Quaggo or openBGPd on intel hardware. You can throw a 1U box together with
> dual PSUs, a bunch of ram, and SSD/CF disks for far less than a C or J setup
> and won't be was
On 7/13/2010 2:56 AM, Truman Boyes wrote:
On 13/07/2010, at 4:50 PM, Dobbins, Roland wrote:
On Jul 13, 2010, at 1:34 PM, Sharef Mustafa wrote:
do you recommend it?
My comment would be that a software-based BRAS - 7200, Vyatta, et. al. - is no
longer viable in today's Inte
On 7/13/2010 4:53 AM, Dobbins, Roland wrote:
On Jul 13, 2010, at 3:00 PM, wrote:
I agree software-based deployments have their flaws but I do not agree that it
cannot be managed securely with comparable or exceeding uptime -vs- a drop in
appliance. I firmly believe it has it's place in '
>>
>
> They are all software based, no matter who builds them. Cisco IOS,
> Juniper JunOS, etc.
controlling hardware asic's and fpga's.
-g
On Jul 13, 2010, at 11:11 AM, Greg Whynott wrote:
>>>
>>
>> They are all software based, no matter who builds them. Cisco IOS,
>> Juniper JunOS, etc.
>
> controlling hardware asic's and fpga's.
Which are in essence software burned into chips. They can provide some
acceleration, but will
On Tuesday, July 13, 2010 11:11:57 am Greg Whynott wrote:
> > They are all software based, no matter who builds them. Cisco IOS,
> > Juniper JunOS, etc.
>
> controlling hardware asic's and fpga's.
That run low level software microcode and bitstreams. Sorry, it's software
running those ASIC'
On 7/13/2010 11:11 AM, Greg Whynott wrote:
They are all software based, no matter who builds them. Cisco IOS,
Juniper JunOS, etc.
controlling hardware asic's and fpga's.
In a PIX, its a Pentium 4. I've also been in other routers that use
PowerPC. It depends on the manufactu
On Tuesday, July 13, 2010 04:53:55 am Dobbins, Roland wrote:
> When a single botted/misbehaving host easily can take down a software-based
> BRAS, that's a pretty strong indication that software-based edge devices are
> contraindicated, heh.
I'm assuming you have data on that assertion, right?
> >> My comment would be that a software-based BRAS - 7200, Vyatta, et.
> >> al. - is no longer viable in today's Internet, and hasn't been for
> >> years, due to security/availability concerns. Same for peering/
> >> transit edge, customer aggregation edge, et. al.
> >
> > A low cost 7200 or
On Jul 13, 2010, at 10:58 PM, Joe Greco wrote:
> It's interesting. One can get equally militant and say that hardware based
> routers are irrelevant in many applications.
When BCPs are followed, they don't tend to fall over the moment someone hits
them with a few kpps of packets - which sho
Sorry, it's software running those ASIC's and FPGA's, even at that level
Sorry ..Its a clock that runs ASIC's and FPGA's
HDL is simply used to describe functionality before synthesis tools
translate the design into real hardware (gates and wires)
- Original Message -
From: "Lamar Ow
On Tue, 13 Jul 2010 23:31:25 +0700, Christian Chapman said:
> >> Sorry, it's software running those ASIC's and FPGA's, even at that level
> Sorry ..Its a clock that runs ASIC's and FPGA's
And how many clockless CPU's have we seen so far?
pgpZRV93nKbv1.pgp
Description: PGP signature
--- rdobb...@arbor.net wrote:
When BCPs are followed, they don't tend to fall over the moment someone hits
them with a few kpps of packets - which should be a key criteria for an edge
device.
---
I'm guessing "a few kpps of packets" is toung
I haven't done real world testing with Vyatta but we consistently pass 750KPPS+
without the slightest hiccup on our FreeBSD routing systems.
Correct hardware with the right configuration can make all of the difference.
-Original Message-
From: "Dobbins, Roland"
Date: Tue, 13 Jul 2010 1
On Jul 14, 2010, at 12:39 AM,
wrote:
> I haven't done real world testing with Vyatta but we consistently pass
> 750KPPS+ without the slightest hiccup on our FreeBSD routing systems.
750kpps packeting the box itself?
Also, note that kpps is a small amount of traffic, compared to what even ve
On Jul 14, 2010, at 12:31 AM, Scott Weeks wrote:
> I'm guessing "a few kpps of packets" is tounge-in-cheek? Entry level script
> kiddies can get to a few hundred kpps easily.
That's what I meant - even a very small botnet can easily overwhelm
software-based edge routers.
---
Joe Greco wrote:
This isn't a new issue. Quite frankly, software routers have some very
great strengths, and also some large weaknesses.
Advocates of hardware based solutions frequently gloss over their own
weaknesses.
Let's talk plainly here.
I'm not going to touch on things like Cisco's so
On Jul 14, 2010, at 1:02 AM, Matthew Kaufman wrote:
> Dangerous in places where forwarding table
> exceeds hardware cache limits. (See Code Red worm stories)
During the Code Red/Nimda period (2001), and on into the Slammer/Blaster/Nachi
period (2003), all the routers I personally know of whic
Routing.
We can route that. If it were targeting the box itself it would depend if the
attack were getting through.
Certainly iptables can't handle something like that but pf does well with high
PPS rates. If it were all 'DROP' traffic then likely higher. If it were hitting
the box directly a
On Jul 14, 2010, at 1:29 AM, wrote:
> We were talking about routing though.
I was talking about packeting the boxes directly, apologies for being unclear -
that's what I meant when I said that the era of software-based edge boxes is
long past.
In that case you are entirely accurate. If you were to use Vyatta
(linux-based) systems for this then you would likely need additional
infrastructure to firewall or zone it to ensure it can't be hit directly.
Depending on what all it has running and the configuration it could be
firewalled off
On 13/07/2010 16:07, Curtis Maurand wrote:
> On 7/13/2010 4:53 AM, Dobbins, Roland wrote:
>> When a single botted/misbehaving host easily can take down a
>> software-based BRAS, that's a pretty strong indication that
>> software-based edge devices are contraindicated, heh.
>>
>> Software-based edge
Hi folks,
On Jul 13, 2010, at 12:05 PM, Nick Hilliard wrote:
> I think Roland's point was that on "hardware routers", there is a
> separation of function between the control and the forwarding planes, and
> that the forwarding plane is designed to be able to transmit data in an
> efficient paral
On Tue, 13 Jul 2010 18:11:45 -, "Dobbins, Roland" said:
> During the Code Red/Nimda period (2001), and on into the Slammer/Blaster/Nachi
> period (2003), all the routers I personally know of which were adversely
> affected were software-based, didn't make use of ASICs for forwarding.
Cisco 72
On Tuesday, July 13, 2010 03:02:21 pm khatfi...@socllc.net wrote:
> In that case you are entirely accurate. If you were to use Vyatta
> (linux-based) systems for this then you would likely need additional
> infrastructure to firewall or zone it to ensure it can't be hit directly.
Much like COPP
--- On Tue, 7/13/10, valdis.kletni...@vt.edu wrote:
> I wasn't aware that the 7206 and M20 classified as
> software-based.
>
No weasel words necessary.
I won't speak for the M20, but I've always thought of the 7206 as a
software-routing platform - it's a pretty good swiss-army-knife software
On 7/13/10 10:56 AM, Dobbins, Roland wrote:
>
> On Jul 14, 2010, at 12:39 AM,
> wrote:
>
>> I haven't done real world testing with Vyatta but we consistently
>> pass 750KPPS+ without the slightest hiccup on our FreeBSD routing
>> systems.
>
> 750kpps packeting the box itself?
>
> Also, note t
I think the issue, is that don't expect to build your own router using
linux/bsd etc..
There are too many kernel parameters to tweak to make it optimal (unless a
suboptimal router is ok with your environment)
You need people that understand network and the appliance they sell you.
Why Cisco is
On Tuesday, July 13, 2010 12:31:25 pm Christian Chapman wrote:
> >> Sorry, it's software running those ASIC's and FPGA's, even at that level
> Sorry ..Its a clock that runs ASIC's and FPGA's
> HDL is simply used to describe functionality before synthesis tools
> translate the design into real hard
> On Jul 13, 2010, at 10:58 PM, Joe Greco wrote:
> > It's interesting. One can get equally militant and say that hardware bas=
> ed routers are irrelevant in many applications.=20
>
> When BCPs are followed, they don't tend to fall over the moment someone hit=
> s them with a few kpps of packets
On Jul 14, 2010, at 3:26 AM, Tony Li wrote:
> The whole point about being DoS resistant is one of horsepower. To do DoS
> protection correctly, you need to be able to do packet examination at line
> rate.
Right. And to date, such routers make use of ASICs - i.e., 'hardware-based'
routers, i
On Jul 14, 2010, at 4:03 AM, wrote:
> I wasn't aware that the 7206 and M20 classified as software-based.
7200 certainly is - I'm not familiar with the minutiae of Juniper boxes, but I
believe the M20 is hardware-based. In the classic report you cite, the issue
with the M20 occurred due to la
On 14/07/10 02:18 +, Dobbins, Roland wrote:
On Jul 14, 2010, at 3:26 AM, Tony Li wrote:
The whole point about being DoS resistant is one of horsepower. To do
DoS protection correctly, you need to be able to do packet examination
at line rate.
Right. And to date, such routers make use o
On Jul 14, 2010, at 5:45 AM, Joe Greco wrote:
> That's just a completely ignorant statement to make.
It's based on a great deal of real-world experience; I'm sorry you consider
that to be 'ignorant'.
> I notice in particular how carefully you qualify that with "[w]hen BCPs are
> followed"; t
On Jul 14, 2010, at 9:31 AM, Dan White wrote:
> has the appearance of you struggling to hold on to an idea that may have been
> more true in the past,
It's true today, and I'm not 'struggling to hold' onto anything. Take any
software-based router from Cisco or Juniper or whomever (if Juniper
Dear,
I always receive digest with volume number, where number of email
correspondence shown. That is very grim for reading. Is there any possibility I
can receive individual email correspondence. Thanks
Yasir Munir Abbasi
Senior Network Engineer
Ciklum Pakistan
2nd floor, Software Technology
On Tue, 13 Jul 2010, Lamar Owen wrote:
Instruction issue? Execution unit? Special instructions? Sounds like
a software-driven processor to me. Specialized software instruction
set, yes. True hardware forwarding, no software involvement? No.
More like asymmetrical multiprocessing software
42 matches
Mail list logo
