From: "Avi Freedman"
"Router CPUs average 50%, and S-BG adds 10%" (paraphrase) Average is somewhat less relevant than common peaks. GSRs and 7500s and 7200s all get up there at 90+% on the real Internet.
I agree. I'm have a tricked 7200 managing 3 peers. Normal traffic utilization rate is 30% cpu usage. The BGP scan kicks 90%+ cpu. During DDOS attacks, the hardest part to stabilizing the system is CPU resource management and in particular BGP stability. Often, one peer has to be shut down to maintain stability on the other two. At that point, work can continue to track and block the DDOS. Then all peers can be brought up, but depending on the severity of the attack, cpu can still be cranking 90-96%, but at least stable traffic. Changes to how we do BGP have effects beyond just BGP routing. It also effects other routing and network issues.
And with the assumption that people will be willing to front their big iron with offboard routing CPU boxes.
Offload routing? To where? A server running an OS that can't run 1/2 the life of my router without a reboot? To a port adapter that my router doesn't have room for? Or do I need to call Cisco and say, "Congrats! You finally get to sell me that $140,000 7500 series router I previously couldn't afford and didn't quite need yet." Here's the kicker. I couldn't inject a route that wasn't mine into any of my peers without calling them first and asking permission. My network doesn't gain anything, but I lose alot.
I just don't see these things happening. And even if they could/would, I think S-BGP needs more paranoid simulation/attack/analysis before it in particular could be the grand fix.
I agree. Deployment would also be long in coming. I may run an all Cisco network, but I don't run any code past 12.0, and when possible, GD releases only. From deployment of the finalized protocol, I'd expect a 3-5 year wait (probably longer) before the protocol reaches a Cisco GD maturity level. -Jack