Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall performance testing (Was: Re: Evaluating Firewall)

From: Carson Gaspar <carson () taltos org>
Date: Wed, 07 May 2003 15:03:18 -0400
--On Wednesday, May 07, 2003 20:20:25 +0200 Mikael Olsson <mikael.olsson () clavister com> wrote: 


These numbers should be for 0% packet loss.


I've got to object here. Test for 0% packet loss if you need
__zero__ loss. Sure, a unit running below spec shouldn't be
losing packets, but to find out what "peak performance" is,
you really should be testing with something like 0.1%..0.01%
loss, IMHO.  Take the intel e1000 series NICs for example.
You can get them to do 1GBps flat with 0% packet loss by cranking
their RX/TX rings to 1024..8192 buffers (I shit you not), but the
latency hit is... yuck.  Aim for 0.1%..0.01% loss and you'll get
a NIC that behaves __much__ better all-round.
I'm a picky SOB. I want numbers for 0% packet loss. If they'd also like to give me numbers for 0.01% loss, that's also a useful data point. I guess I've spent too much time securing real time market data...
Speaking of which, I left latency out of my list. If you care, you should ask specifically about that as well. 


Most firewalls have to do a connection lookup for established sessions.
Good ones will do so with some algorithm that is O(log n) (or so) instead
of O(n).


s/O(log n)/O(1..2)/
True, but be very cautious of the constant in both cases. Some "constant time" algorithms end up being more expensive for sane values of n than a good log n algorithm. 

--
Carson Gaspar

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: