Re: New firewall paradigms, anyone ?

[Vern Paxson <vern () ee lbl gov>]

> The first question to answer is whether network traffic is, in fact,
> simple and predictable. We don't know that. (That's one of the
> things The Guys and I are researching) I'd guess it is.

I wouldn't bet on it.  I've taught courses on Internet measurement and one
of the themes I develop is "there is no such thing as typical".  Huge
variation is instead what you find.  Also, it's worth checking out
"self-similar"/fractal traffic models, which fit to measured (aggregate)
traffic much better than traditional models, and likewise predict huge
variation.

> Do you want to know about packets that have come more
> than 2 standard deviations outside of the normal inter-packet
> arrival time for a connection? What about packets that are out
> of sequence? Or packets that are out of sequence by more than
> 2 sequence numbers? Which is worse - closely out of sequence
> packets or wildly out of sequence packets? My guess is that
> closely out of sequence packets are worse but they are also
> closer to a "normal error"

You might want to check out a couple of my recent papers:

        End-to-End Internet Packet Dynamics
        Proc. SIGCOMM '97
        ftp://ftp.ee.lbl.gov/papers/vp-pkt-dyn-sigcomm97.ps.Z

        Automated Packet Trace Analysis of TCP Implementations
        Proc. SIGCOMM '97
        ftp://ftp.ee.lbl.gov/papers/vp-tcpanaly-sigcomm97.ps.Z

and/or the chapters in my thesis on TCP behavior and network pathologies:

        ftp://ftp.ee.lbl.gov/papers/vp-thesis/dis.ps.gz
                whole thing

        ftp://ftp.ee.lbl.gov/papers/vp-thesis/README 
                list of individual chapters

- Vern