Firewall Wizards mailing list archives
Re: RE: High Speed Firewalls
From: Crispin Cowan <crispin () wirex com>
Date: Tue, 14 Mar 2000 00:20:33 +0000
David Newman wrote:
The "headers" stuff degrades throughput.Right. So you agree, then, that even in theory it's not possible to move 100 Mbits of *user data* (e.g., a 12.5-Mbyte file) in 1 second over fast Ethernet?
Agreed.
The other stuff degrades latency.They also degrade throughput. SYNs, FINs, and 3-way handshakes puts bits on the wire too, and get counted in a throughput measurement (see RFC 1242). If you're speaking of application-layer throughput (e.g., what wu-ftpd reports) the overhead doesn't get counted -- but that measurement will never report moving 12.5 Mbytes/second unless the implementation is seriously broken.
True. I had forgotten about the SYN & ACK traffic on a simplex line. So now there's lots of reasons why application layer bandwidth never can reach raw "line-speed" bandwidth. However, none of those reasons have anything to do with a firewall being in the way. I continue to assert that for whatever the upper bound is on network throughput, it is possible to put a big badass firewall in the way, and with sufficient memory and computes in the firewall, run that puppy at the same *throughput* as the un-mediated line. Consider an analogy to the New Jersey Turnpike: * cars are like packets * latency is the transit time from NYC to DC * throughput is the number of cars per hour past a given point * toll booths (like firewalls) do inspection, and definitely affect latency * if the power of the toll booth (how many booths you have) is insufficient, then they cause a backlog, cars/packets queue up, and throughput degrades * if the power of the toll both is sufficient, then all cars/packets get their own booth upon arrival, and throughput is not affected Continuing the analogy, if you were to do something like encapsulation or tunneling (wrapping packets inside packets, a la IPSec) then you have added headers, making the payload packets bigger. This is as if you made all the cars 45 feet long, degrading the number of cars that can pass a given point per hour (because they can't pack as close together). *That* will degrade throughput, no matter how much compute power you put in the firewall. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
Current thread:
- Re: Active FTP behind a router doing NAT, (continued)
- Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
- Re: High Speed Firewalls Eric Hall (Mar 13)
- Re: High Speed Firewalls Chenggong Charles Fan (Mar 12)
- Re: High Speed Firewalls David Newman (Mar 06)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
- RE: RE: High Speed Firewalls David Newman (Mar 17)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Saravana Ram (Mar 23)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- Re: Re: High Speed Firewalls Dug Song (Mar 13)