Denys Fedoryshchenko Sent: Monday, September 2, 2019 2:24 PM
On 2019-09-02 15:52, Baldur Norddahl wrote:
Maturity is such a subjective word. But yes there are plenty of options for routing protocols on a Linux. Every internet exchange is running BGP on Linux for the route server after all.
I am not recommending a server over MX204. I think MX204 is brilliant. It is one of the cheapest options and if that is not cheap enough, THEN the server solution is probably what you may be looking for.
You can move a lot of traffic even with an old leftover server. Especially if you are not concerned with moving 64 bytes DDoS at line speed, because likely you would be down anyway in that case.
As to the OPEX I would claim there are small shops that would have an easier time with a server, because they know how to do that. They would have only one or two routers and learning how to run JUNOS just for that might never happen. It all depends on what workforce you have. Network people or server guys?
Regards
Baldur
I think that such types of DDoS are much easier to solve on a server with XDP/eBPF than on MX. And much cheaper if we are talking about the new SYN+ACK DDoS and it is exactly 64b ddos case. I used multiple 82599.
From snabbco discussion, issue #1013, "If you read Intel datasheets then the minimum packet rate they are guaranteeing is 64B for 10G (82599), 128B for 40G (XL710), and 256B for 100G (FM10K)."
But "hardware", ASIC enabled routers such as MX might be not better and even need some tuning. https://kb.juniper.net/InfoCenter/index?page=content&id=KB33477&actp= METADATA "On summit MX204 and MX10003 platforms, the line rate frame size is 119 byte for 10/40GbE port and 95 byte for 100GbE port." or some QFX, for example, Broadcom Tomahawk 32x100G switches only do line-rate with >= 250B packets according to datasheets.
You nailed it, Actually very few line-cards or fabric-less boxes with (run to completion vendor chips) out there do line-rate at 64B packets nowadays. -with the advent of 100G the "line-rate at 64B" is pretty much not a thing anymore... Something to consider, not because one wants to push 64B packets at line-rate on all ports but because one needs to push IMIX through QOS or filters... and the card/box might simply not deliver. adam