Re: karl and paul, expostulating

["Justin W. Newton" <justin () erols com>]

At 07:23 PM 2/19/97 -0800, Paul A Vixie wrote:

Wahoo, a nanog issue :)


> > Filtering by connection to the SMTP port, based on source address, very
> > definitely DOES work.
>
> Filtering packets based on source address makes Ciscos go way slow on 
> every packet.  Filtering based on destination address makes Ciscos go
> very fast on most packets and a little slower on SYN-ACKs.

If you enable flow switching it adds little overhead to the box.  On a 7505
with 2 sets of full routes and another partial set of routes (and all of
the updates associated), that pushes some pretty significant traffic, I am
filtering approx 25M/sec of data with 25k long extended access list.  The
total CPU load on the box is approximately 35%.  Oh yeah, the box is also
the DR for area 0 of a fairly large OSPF network (approximately 3k routes).
 Before flow switching was enabled we were running at 80% or so (not for
more than a few minutes before we enabled flow switching though).  


> Sez you.  I'd ordinarily expect you to love the idea of "if you don't play
> by my rules I will start my own Internet without you on it."
Go ahead and do so, but not with public resources.  

> And, again, wrong.  I want spammers to spend 75 seconds of TCP PCB time on
me.
> By blackholing SYN-ACKs and not sending them ICMPs, they lose capacity that
> they could otherwise spend spamming other people. I call this "fighting
> dirty."

Is having them time out on DNS requests so that their entire system runs
slower fighting dirty as well?

> I operate a cooperative resource.  I will not have it used against me.

What kind of a port adapter do you need so as not to have to filter the
traffic to the root name server?



Justin Newton                           
Network Architect                                       
Erol's Internet Services
- - - - - - - - - - - - - - - - -