On Jul 14, 2010, at 10:17 PM, Joe Greco wrote:
The truth is that you can keep throwing CPU at a problem as well. I can = size a software based router such that it can remain available.
Not against mpps, or even high kpps, you can't, unfortunately.
Really? I'm positive that I can, because I *have*, and other people *have*. The sweet spot for protecting a 100Mbps circuit, in particular, moved from hardware to software about five years ago. That simply means it's more cost-effective for a competent admin to spend some time to set up the box than it is to spend money on dedicated silicon that'll be obsolete in a few years, a fact that's conveniently ignored by a lot of the advocates of such solutions. To drive the point home, FreeBSD based routers that we built in 2004 are able to cope with full routing tables and IPv6 *today*, at the same traffic levels they were designed for, and those particular qualities don't seem to be present in many of the hardware-based offerings of the era. If and when they cease to be useful in that capacity, they can be trivially repurposed as firewalls or web servers or other similar tasks, because unlike the pricey purpose-built router hardware, there are advantages to general purpose hardware. Quite frankly, this is starting to be a little annoying. Perhaps you could do some research, or find some competent admins and test a few well built setups yourself before you make any more disprovable claims. My claims are not ridiculous and are not a figment of my imagination; I can point to many-years-old documented examples, such as http://lists.freebsd.org/pipermail/freebsd-net/2004-September/004840.html http://info.iet.unipi.it/~luigi/polling/ These are tests of forwarding capabilities, true, but the reality is that the same sorts of things that make this possible make it relatively easy to support large numbers of packets directed "at the control plane", since the concept of the control plane isn't as separated in the FreeBSD software model as it is in the hardware model. As a result, a FreeBSD box can take and sink quite a bit of traffic. Doing so does not cripple it. For giggles, I took two out-of-the-box FreeBSD 8.0 servers, twiddled *only* device polling to on, and started them running traffic at each other. Both were sending north of 100Mbps (>>100Kpps) of traffic at the other, both when listening and when not, no problems, no crashes, no issues. That doesn't sound too great until I reveal that I was lazy and it's only some excess capacity on a VMware box that's available to these two virtual servers.
Software based platforms have an incredible edge in areas that hardware b= ased platforms don't, including capex and the ability to find replacement p= arts after a disaster.
I agree 100% with this, and with much of what you say. My point is that at= the *edge* - like a BRAS, which is how this thread started - one must have= platforms which can be adequately protected against attack/abuse, and hard= ware-based platforms are the only practical way to do that.
In some cases, for some purposes, yes. Otherwise, no. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.