Chuck Yerkes chuck+soekris at 2004.snew.com
Wed Apr 21 23:38:07 UTC 2004

Quoting J Baber (jvbaber at hotmail.com):
> Hello,
> I am curious about the feasibility of software vs. hardware routing, and 
> have a few questions (although I've configured routers before, I've never 
> worked with the actual components):
/me wonders what hardware routing is...  ASICs?  FPGAs that speak IP?

> 1.  With a device like the Soekris net4501-30 (or any other Soekris device 
> with 2 or more NICs, 133 MHz), what is the limitation of the throughput if 
> you are using Linux or *BSD with available routing protocols and a 
> software/OS based firewall?

passing packets through seems to go between 35-45mb/s.

> 2.  Does a device like a low-end Cisco router use an embedded OS
yes, IOS
> (like Linux or *BSD),
> or does it use firmware (i.e. is it all "system-in-a-chip" based)?
Um, if I burn BSD to a prom is taht considered "firmware?"

IOS is an operating system. The part that the users sees is the
interface for ACLs and all the usual cisco setup.

> 3.  Does anyone have any experience with the performance of a software VPN 
> host vs. using a hardware device like the Soekris vpn1201/1211 or 
> vpn1401/1411?  I see specs on the throughput capacity of the HiFn chips, 
> but how does this compare to a software VPN alternative?

It IS a software VPN.  Some of the OSs support using a crypto accelerator.
Soren has 2 of these: the 1201 and 1401.

I think you'd be hard pressed to find the full protocol in a hardware

The Crypto accelerators are great for a 133MHz or 266MHz chip.
Put them into a 2 way x 3GHz box and the time you spend setting up
the connection to the accelerator will exceed the time you could
have spent just doing the math.

I dunno if that's a rethink of the software?  If a card with 4
accelerators and more smarts (to keep a connection open to the main
OS) would be helpful, but at this time, an accelerator is most
useful on (2004) slow machines.

