Why use LRP instead of something else?


mn :: comp :: net

Why use LRP instead of something else?
Jack Coates, jack@monkeynoodle.org

Revision History
02-??-2000, wrote original section
10-10-2000, added Cisco section

Section 1)
Why use LRP instead of a full Linux distribution?

Frequently Asked Question:

"Why should I use the LRP mini-distribution instead of [name a full Linux distribution]? Is it faster/better/safer to do it another way?"

Frequently Provided Answer:

I doubt that you're going to notice a speed difference, if all the full distro does is route. The real benefits to routing with LRP are:

Read-only boot media -- loading from read-only media and running from ramdisk provides awesome security and stability. If you've got a problem or suspect a compromise, simply power cycle to restore functionality and hunt down the problem at your leisure.

Hardware requirements -- the two parts of your computer which are most likely to fail are the hard disk and the power supply fan (which leads to the power supply itself failing). With LRP, you pull out the hard disk and mount it as /tmp or /home or /var/log in some other machine. Without the disk or CDROM, the router will produce a much lower level of heat, reducing the likelihood and impact of power supply fan failure.

Simplicity of design -- Like the deny-everything-and-allow-exceptions firewall policy, LRP provides higher security than a full Linux distro. Install RedHat or Mandrake or whatever and select only the bare minimum of packages that the installer will let you get away with. You've got anywhere from 110 MB to 500 MB installed. Now boot and take a look at what's been installed, and ask how many of these programs can be attacked with buffer overflows or will provide convenient tools for an attacker to use against other computers. With LRP, if you do get cracked the attacker will have to bring everything -- there's no ftp client, no telnet client, no uuencode, no network tools except for nc.

"Sounds great! Where do I get one?"

http://www.linuxrouter.org -- the main site, falling into disrepair but has a great mailing list archive.
http://lrp.c0wz.com -- current development and documentation is linked from here.

Section 2
Why use LRP instead of a Cisco?

Frequently Asked Question:

Can I replace my low-end Cisco with an old PC running LRP?

Frequently Provided Answer:

It depends on what you're doing.

Performance -- I'm going to avoid a deep discussion of the performance metrics right now in the interest of time. Suffice it to say that a 2500-series router has about as much computational power as a Mac SE. A LRP built on a 386 with a math coprocessor and 12mb RAM is quite capable of handling a T1 or 2 of traffic. The Cisco's shouldn't really start to show a performance edge over a PC until you look at 3660s or better, at which point the PCI bus in the PC will start to be a bottleneck. Then again, if you're doing encryption of the data for a VPN the LRP PC will be able to throw a lot more CPU at the problem. Cisco does offer booster CPUs for encryption work, but they're quite pricy and take up valuable expansion slots.

Read-only boot media -- Cisco's work from a similar design perspective (boot media isn't working media), but the boot media (a flash SIMM) is only software write-protected. If administrator permissions allow, the boot media may be overwritten. Since LRP can boot from a physically write-protected floppy disk or a burned CD-ROM, no one without physical access can damage or alter the boot image. Problems can be cured with a reboot.

Hardware requirements -- The issue here is clear. Cisco hardware is very expensive, and they won't sell it without a support contract. In all fairness, that's a good thing as their support is excellent and their gear is pretty good. However, it is not cheap. If your budget doesn't allow for Cisco, LRP is the way to go. For a direct Cisco replacement, Frame Relay cards can be purchased from Sangoma and are fully supported in LRP. LRP also supports wireless, which Cisco can't do.

Simplicity vs. Flexibility of design -- The Cisco is a single purpose device with a very limited toolkit. In lower end applications, it is the simpler design. However, LRP is designed to run on a more powerful CPU and offers a wide array of packages which allow you to take advantage of that CPU power. The LRP is far more flexible. Granted, up in the LRP vs. full distro section I'm extolling the virtue of simple design -- well, that's life. Design is not a matter of black and white.

Support -- Hands down, Cisco has better support if you're able to pay for it. If you buy a Cisco support contract, you can call them on the phone and yell at them until you feel better, and they still have to help you. Open Source software doesn't work like that. OSS projects like LRP are written, documented, and supported by unpaid volunteers who communicate solely by email. If you don't make an effort to find the answer on your own and be polite about asking for help, you won't get good support. See the LRP Troubleshooting Request Howto at
http://lrp.c0wz.com/dox/lrp-list-howtos/LRP-ts-req-HowTo.html if you have further questions about how this works.

Good luck!
Jack

Last modified: Oct 24, 2008 2:28 pm.
Contact me.