Vyatta / VyOS / Free-Range -- Router Firewall Project Updates
All these are / were open source, mature, fast and robust network router implementations including protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP, etc.
The VyOS project was forked off when Vyatta ceased continuous open-source development and was acquired by Brocade. All these projects integrated with Linux / xBSD IPv4 and IPv6 networking stacks and provide extensive support of NAT, ACL, Netfilter based Firewall features.
Paxym's team is proud to have completed the first ever port of VyOS / FR-Routing to OCTEON MIPS based Network Processor.
In addition to complete port for customer, Paxym' team also developed an off-load Accelerator utilizing additional data-plane cores on the Network Processor. The off-load Accelerator allowed our Services Customer to reach multi-gigabit speeds using a low core count on the OCTEON-III MIPS64 Network Processor.
Some details of the port project:
VyOS Helium (v1.1.7 Feb-2016) distribution
Featured port of VyOS / FR-Routing to OCTEON-III CN7130, CN7240 MIPS64 @1.6Ghz, 2G RAM, 4/8 cores.
- DHCPv3 IPv4 Server
- DHCP IPv4 Relay
- DHCP IPv4 Client
- Firewall (Stateless ACL)
- PPPoE Client
- QoS (A: input rate-limiters, output traffic shapers)
- QoS (B: queueing, traffic marking, qdisc / tc)
- Busybox Root-FS optimization
- GRE Tunnels
- IPSec (Kernel IPSec + User-space Strong-Swan VyOS)
- IPv6 (Forwarding, Routing, Host, ARPv6, UDP/TCPv6, MTU discovery, Neighbor Discovery, Address assignments)
- IPv6 NAT
- VPN Server
- L2TP Client
- Routing Protocols: RIPng, OSPFv6
- Access: ssh, telnet
- Management: SNMPv4, SNMPv6
- VLAN Routing, Subinterfaces, Bonding, Single-Tag
- Port all VyOS packages for OCTEON-III MIPS64
Additional Accelerator features added:
- High speed forwarding FIB tables
- Off-load NAT, ACL and Firewall tables
- IPv6 support to offload accelerator
- IPv6 VLAN support
- Complete IPv4 and IPv6 statistics tracking
- Rate-limit all packets punted to slow-path.
- Traffic shaping using Flow-buckets, Confirm-action, Exceed-action, ciel
- Outbound PCP overwrite for certain VLANs
- VRF support in VyOS (control-plane slow-path) and Accelerator (fast-path)
- Kernel name-spaces support integrated with corresponding User-space utilities and Accelerator support
- Highly optimized Data-Plane engine software written in OCTEON's Simple-Exec model.
- Replicate Network topology (Initial and Dynamic updates) from Control-Plane to Data-Plane.
- Complete Packet/Byte statistics and operational management from Linux UI.
- Complete Firewall off-load in Accelerator stack, including NAT, ACL, QoS, Traffic-shaping
- GREv2 tunnels offload
- Traffic shaping algorithms applied to traffic punted to Control-Plane slow-path
- IPSec offload in Accelerator Fast-path
- IPSec acceleration (complete IPSec handling in Accelerator fast-path utilizing OCTEON crypto related instructions)
- Support for AES-128, AES-256 with AES GCM subvariatio, MD5/SHA-1/SHA-2, IKE, IKEv2 in Accelerator (SADB, Tunnels db, Strong-Swan in user-space for tunnels establishment and tear-down
- No loss performance testing and tuning for 64B, 300B, 1500B packet sizes on 1 core, 2 cores and 3 cores, with 100s of flows.
- Excellent scaling from 1 - 15 cores.
- Support for Gigabit PHYs from multiple vendors Microsemi, Marvell, Broadcom etc.