Hi folks, On Jul 13, 2010, at 12:05 PM, Nick Hilliard wrote:
I think Roland's point was that on "hardware routers", there is a separation of function between the control and the forwarding planes, and that the forwarding plane is designed to be able to transmit data in an efficient parallel manner. I.e. on a well-designed hardware router, if you trash the data path on the router through ingress A and egress B, the damage stops there: the control plane is unaffected and ingress C to egress D is also ok (for arbitrary values of C and D).
The key point here is one of design, not one of implementation technology. If you need a router that is robust against DoS attacks, then that's what you should buy. Such routers can be built from ASICs, CPUs, or even 7400 series TTL, if you work hard enough at it. There is no meaningful distinction of 'hardware' or 'software'. All of the ASIC based systems embody processors of various flavors in the ASICs that are running forwarding software. And the difference between an ASIC and a CPU is not as much as you might think. Ok, ASICs typically don't go to full custom layout (tho some crazy people have done that) and are typically a few steps behind on the process technology curve. But this is not the fundamental issue. The whole point about being DoS resistant is one of horsepower. To do DoS protection correctly, you need to be able to do packet examination at line rate. When there are packets destined for the router, they need to be classified appropriately, queued carefully and those queues need to be serviced in The Right Way (tm). If your system has the performance to do this in addition to the normal transit load on the system, then it's in pretty good shape. Regards, Tony