[j-nsp] M20 FPC throughput

Saku Ytti saku+juniper-nsp at ytti.fi
Mon Aug 15 04:46:04 EDT 2005


On (2005-08-15 04:27 -0400), Richard A Steenbergen wrote:
 
> So the big answer at the end is that it takes 2.575 GigE's sending 65 byte 
> packets at their line rate of 1.21Mpps each to exhaust an FPC. Feel free 
> to double check my math on that, it's late, but I'm pretty sure thats 
> right. Of course that is a non-realistic situation which you would only 
> ever encounter on a DoS attack specifically targetting Junipers, but it 
> helps to know what the worst case really is.

 Indeed, I've done same math for GSR and JNPR also. And GSR has other
big weaknesses also, while I love the boxes in right context, they're
absolutely failure (when running IOS) when it comes to protecting them,
GSR cannot be protected in acceptable way without using iACL
(which everyone in the Internet should be using, by now, instead of
bashing vendors about bugs that will always be there). 
 I dread the moment when script kiddies learn GSR/JNPR basics, especially
GSR, learning to put right data on the packet, it shouldn't take much
more than 350kpps to force GSR to drop all IGP etc on that interface. 
rACL and CoPP shouldn't help that much, as they're done in LC CPU,
instead of ASIC, without having IOS XR clues, I'd be ready to bet money
that they're done in ASIC in IOS XR.

 OTOH, this particular attack luckily isn't as powerful against GSR
as it's agaist JNPR, due to smaller cell size in GSR.

-- 
  ++ytti


More information about the juniper-nsp mailing list