On Jul 13, 2010, at 10:58 PM, Joe Greco wrote:
It's interesting. One can get equally militant and say that hardware bas= ed routers are irrelevant in many applications.=20
When BCPs are followed, they don't tend to fall over the moment someone hit= s them with a few kpps of packets - which should be a key criteria for an e= dge device.
The same can't be said of software-based devices.
That's just a completely ignorant statement to make. I notice in particular how carefully you qualify that with "[w]hen BCPs are followed"; the fact that hardware router manufacturers have declared everything and anything that derails their bullet trains as "not a BCP" is a perfect example of this deceptive sort of misinformation. There are plenty of FreeBSD based devices out there that are passing tons of traffic; almost any of them are more competent than any Cisco router I'm aware of when hitting them directly with traffic, since the CPU's on your average Cisco are pretty flimsy, the CPU on a FreeBSD box is going to be fairly current tech, and the code on a FreeBSD box is going to have been designed to defend against such attacks because things like IRC server operators often don't have the luxury of hiding their device management on a protected net. The fact of the matter is that the way that most "hardware" platforms try to survive a DoS attack against their control plane is through hardware filtering; to the extent that that works, it's going to be pretty effective. However, if we're going to allow for that, then we have to allow the software platform to defend itself with a firewall as well, and once you do that, on both platforms, what actually happens in the end is that both devices can successfully defend at gigabit speeds, but you start losing traffic because you're filling the inbound pipe. Or, put another way: "When BCP's are followed, software devices don't tend to fall over the moment someone hits them with a few Mpps of packets either." ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.