Firewall Wizards mailing list archives
Re: CERT vulnerability note VU# 539363 (fwd)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 16 Oct 2002 23:15:52 +0200
Paul Robertson wrote:
Hmmm, is this because "normal" rules aren't optimized or hashed, but state tables were kind of pre-assumed to be a performance issue, and therefore given performance attention at the design stage? Maybe it's just because the state information is easy to do a boolean comparison on?
I'll concede that maybe our rule lookups could be faster. Heck, not even maybe, they _could_ be faster, given enough head scratching and cool algorithm design. It's just that it sort of feels iffy to me. The ruleset is the ultimate policy enforcement point. I'm personally not altogether comfortable with changing this from an easily verifiable linear lookup with straight- forward comparisons to some n-dimensional single-hop constant-time lookup that you need a master's degree in math and a minor in CS to understand. This is not to say that it hasn't been done. There was this company that shall remain nameless that sold cool blue boxes with blitzingly fast rule lookups and no statefulness. Today, they tout header compression.
Have any kind of feel for where the line is? Daniel's 5000 to 100 mention has me wondering if we can codify the sorts of places where this can be an easy performance win for folks who are in high utilization scenerios.
Ugh. If it was just a line, I might be able to give you an estimate. Unfortunately, it's more like a 3D function surface of state creation rate, ruleset size, and raw throughput. Not to mention product specifics. It is however an interesting question. I think I'll coherce the QA people into cranking out some more diagrams when I'm done abusing them with all the testing for the current release :) For our software on current hardware, I think something along the line of "tens of thousands of connections per second" coupled with "the first handful of rules" would be where statelessness might pay off, but I don't think that's anywhere near useful as general advice.
Why can't I log stateless rules?
Answered in another subthread.
[1] We had a dearth of gameshow sounds in this thread ;)
*meEEep* -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: CERT vulnerability note VU# 539363 (fwd) Paul D. Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Daniel Hartmeier (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- <Possible follow-ups>
- RE: CERT vulnerability note VU# 539363 (fwd) Schouten, Diederik (Diederik) (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Stephen Gill (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Mike Frantzen (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Miles Sabin (Oct 18)
- Re: CERT vulnerability note VU# 539363 (fwd) Darren Reed (Oct 22)
- Re: CERT vulnerability note VU# 539363 (fwd) Mike Frantzen (Oct 22)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) David Wagner (Oct 18)
- RE: Re: CERT vulnerability note VU# 539363 (fwd) Ben Nagy (Oct 19)