Re: RE: High Speed Firewalls

[Crispin Cowan <crispin () wirex com>]

David Newman wrote:

> > That has mostly to do with things like round-trip delays for handshakes,
> > and TCP slow start.  If you take a sample out of the middle of such a
> > connection, for a much longer file, it will look better.
> >
> > I think at some point, your constraining factor might get to be
> > latency.  The window size can only get to be 64K, right?
> >
> >                               Ryan
>
> Er, sorry to have to go through this again. This has nothing to do with
> latency (delay) or window size. On the wire, user data (like the contents of
> a file) is wrapped in packets. Packets have headers. Headers add overhead.
> Ergo, it's not possible to put 100 Mbits of *user data* on the wire in one
> second. Ergo, "wire-speed throughput" from an application perspective is a
> myth.
>
> Please reread the earlier thread -- this has been all been hashed over,
> several times.

At the risk of further re-hashing, Ryan does have a point.  Window size limits
the depth of the firewall's processing pipeline, which in turn may actually
impose an upper bound on firewall throughput.  To be sure, it is a very high
ceiling, but it may impose one.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html