Firewall Wizards mailing list archives

Re: RE: High Speed Firewalls

From: Crispin Cowan <crispin () wirex com>
Date: Tue, 14 Mar 2000 00:20:33 +0000

David Newman wrote:

The "headers" stuff degrades throughput.


Right. So you agree, then, that even in theory it's not possible to move 100
Mbits of *user data* (e.g., a 12.5-Mbyte file) in 1 second over fast
Ethernet?


Agreed.

 The other stuff
degrades latency.


They also degrade throughput. SYNs, FINs, and 3-way handshakes puts bits on
the wire too, and get counted in a throughput measurement (see RFC 1242). If
you're speaking of application-layer throughput (e.g., what wu-ftpd reports)
the overhead doesn't get counted -- but that measurement will never report
moving 12.5 Mbytes/second unless the implementation is seriously broken.


True.  I had forgotten about the SYN & ACK traffic on a simplex line.

So now there's lots of reasons why application layer bandwidth never can reach
raw "line-speed" bandwidth.  However, none of those reasons have anything to do
with a firewall being in the way.  I continue to assert that for whatever the
upper bound is on network throughput, it is possible to put a big badass
firewall in the way, and with sufficient memory and computes in the firewall,
run that puppy at the same *throughput* as the un-mediated line.

Consider an analogy to the New Jersey Turnpike:

   * cars are like packets
   * latency is the transit time from NYC to DC
   * throughput is the number of cars per hour past a given point
   * toll booths (like firewalls) do inspection, and definitely affect latency
   * if the power of the toll booth (how many booths you have) is insufficient,
     then they cause a backlog, cars/packets queue up, and throughput degrades
   * if the power of the toll both is sufficient, then all cars/packets get
     their own booth upon arrival, and throughput is not affected

Continuing the analogy, if you were to do something like encapsulation or
tunneling (wrapping packets inside packets, a la IPSec) then you have added
headers, making the payload packets bigger.  This is as if you made all the
cars 45 feet long, degrading the number of cars that can pass a given point per
hour (because they can't pack as close together).  *That* will degrade
throughput, no matter how much compute power you put in the firewall.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html

Current thread:

Re: Active FTP behind a router doing NAT, (continued)
- - - Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
    - Re: High Speed Firewalls Eric Hall (Mar 13)
  - Re: High Speed Firewalls Chenggong Charles Fan (Mar 12)
- Re: High Speed Firewalls David Newman (Mar 06)
  - Re: High Speed Firewalls Crispin Cowan (Mar 12)
    - RE: High Speed Firewalls David Newman (Mar 12)
    - Re: High Speed Firewalls Crispin Cowan (Mar 12)
    - RE: High Speed Firewalls David Newman (Mar 12)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
    - RE: RE: High Speed Firewalls David Newman (Mar 17)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
    - RE: RE: High Speed Firewalls David Newman (Mar 21)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
    - RE: RE: High Speed Firewalls David Newman (Mar 21)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
    - RE: RE: High Speed Firewalls David Newman (Mar 21)
    - Re: RE: High Speed Firewalls Saravana Ram (Mar 23)
    - Re: Re: High Speed Firewalls Dug Song (Mar 13)
- Re: High Speed Firewalls Rogue Bolo (Mar 07)
- RE: High Speed Firewalls Rogue Bolo (Mar 07)
- RE: High Speed Firewalls Woeltje, Donald (Mar 08)

(Thread continues...)