[Soekris] Software Routing/Firewall/VPN Performance and Feasibility
chuck+soekris at 2004.snew.com
Wed Apr 21 23:38:07 UTC 2004
Quoting J Baber (jvbaber at hotmail.com):
> I am curious about the feasibility of software vs. hardware routing, and
> have a few questions (although I've configured routers before, I've never
> worked with the actual components):
/me wonders what hardware routing is... ASICs? FPGAs that speak IP?
> 1. With a device like the Soekris net4501-30 (or any other Soekris device
> with 2 or more NICs, 133 MHz), what is the limitation of the throughput if
> you are using Linux or *BSD with available routing protocols and a
> software/OS based firewall?
passing packets through seems to go between 35-45mb/s.
> 2. Does a device like a low-end Cisco router use an embedded OS
> (like Linux or *BSD),
> or does it use firmware (i.e. is it all "system-in-a-chip" based)?
Um, if I burn BSD to a prom is taht considered "firmware?"
IOS is an operating system. The part that the users sees is the
interface for ACLs and all the usual cisco setup.
> 3. Does anyone have any experience with the performance of a software VPN
> host vs. using a hardware device like the Soekris vpn1201/1211 or
> vpn1401/1411? I see specs on the throughput capacity of the HiFn chips,
> but how does this compare to a software VPN alternative?
It IS a software VPN. Some of the OSs support using a crypto accelerator.
Soren has 2 of these: the 1201 and 1401.
I think you'd be hard pressed to find the full protocol in a hardware
The Crypto accelerators are great for a 133MHz or 266MHz chip.
Put them into a 2 way x 3GHz box and the time you spend setting up
the connection to the accelerator will exceed the time you could
have spent just doing the math.
I dunno if that's a rethink of the software? If a card with 4
accelerators and more smarts (to keep a connection open to the main
OS) would be helpful, but at this time, an accelerator is most
useful on (2004) slow machines.
More information about the Soekris-tech