nanog mailing list archives

Re: High-speed filtering boxes (Was: Re: SYN floods...)

From: Deepak Jain <deepak () jain com>
Date: Thu, 19 Sep 1996 15:22:35 -0400 (EDT)


I am sure a question most of us has is, what kind of latency does your 
filtering box add? Doing something at line rate is fine, but latency is 
rather important at line speed.

Thanks,

-Deepak.

On Thu, 19 Sep 1996, Paul Frommeyer wrote:

 
"Perry E. Metzger" <perry () piermont com> is alleged to have said:
| BTW, I would suggest that for a variety of applications, hardware
| assisted filtering boxes that simply take in IP one end and put out
| processed IP on the other end would be of use -- not just for this,
| but also for helping in doing packet traces through high traffic
| areas, for implementing firewalls, and for all sorts of other
| things. Vendors, are you listening?

Listening? Um, we make such a product, it's been shipping for some time. Our
network address translator, product name Private Internet Exchange, can do 
what you ask, and with speed to spare, too. It seems to be sort of an SR-71
for packet-filtering-- our engineers haven't been able to tell me just
what the upper performance bounds are because they seem to have trouble
finding them. Right now we offer Fast Ethernet and Ethernet interfaces; I'm
sure if there's enough market interest we'd look into doing FDDI or perhaps
ATM OC3c. FWIW, last estimates I heard were that the box should scale to
around 70K flows or so, which would be enough to handle a NAP connection,
I should think. This is all at full line rate. More info on our web site, see

      http://www.cisco.com/warp/public/751/pix/index.html

I've suggesteed to the PIX engineers that they look into whether it is
possible to have the PIX reserve enough data structures in the IP queue
to "stay ahead" of line rate flooding of SYN packets. In other words, you'd
always have a connection being torn down even as more bogons came in. That
would let good packets through, too, along with the evil ones. No word yet; I 
suspect that due to the long timeout needed for bogus source addresses that 
this won't be doable, but it'd sure be a nice way to pull the teeth on a
SYN flood.

FWIW,
      Cheers,
              Paul

                          Paul "Corwin" Frommeyer
        Work              Internet Engineer, CCIE               Play
 ISP Systems Engineer                                 Network Sorcerer At Large
 Cisco Systems, Inc.                                    Paul's Fone Company
 pfrommey () cisco com                                       corwin () palas com
      *** Speaking solely for myself unless otherwise noted ***

- - - - - - - - - - - - - - - - -

Current thread:

Re: SYN floods (was: does history repeat itself?), (continued)
- - - Re: SYN floods (was: does history repeat itself?) Vektor Sigma (Sep 09)
    - Re: SYN floods (was: does history repeat itself?) Avi Freedman (Sep 09)
    - Re: SYN floods (was: does history repeat itself?) Taner Halicioglu (Sep 09)
    - Re: SYN floods (was: does history repeat itself?) Curtis Villamizar (Sep 12)
    - Re: SYN floods (was: does history repeat itself?) Perry E. Metzger (Sep 12)
    - Re: SYN floods (was: does history repeat itself?) alex (Sep 13)
    - Re: SYN floods (was: does history repeat itself?) Mr. Jeremy Hall (Sep 13)
    - Re: SYN floods (was: does history repeat itself?) alex (Sep 14)
    - Re: SYN floods (was: does history repeat itself?) Mr. Jeremy Hall (Sep 14)
    - High-speed filtering boxes (Was: Re: SYN floods...) Paul Frommeyer (Sep 19)
    - Re: High-speed filtering boxes (Was: Re: SYN floods...) Deepak Jain (Sep 19)
    - Re: High-speed filtering boxes (Was: Re: SYN floods...) Paul Frommeyer (Sep 19)
    - Re: SYN floods (was: does history repeat itself?) Dima Volodin (Sep 09)
    - Re: SYN floods (was: does history repeat itself?) Dick St.Peters (Sep 09)
    - Re: SYN floods (was: does history repeat itself?) Avi Freedman (Sep 09)
    - Re: SYN floods (was: does history repeat itself?) Perry E. Metzger (Sep 09)