Re: Blocking TCP flows?

[Christopher Morrow <morrowc.lists () gmail com>]

On Thu, Jun 13, 2013 at 4:47 PM, Phil Fagan <philfagan () gmail com> wrote:
> I didn't think the bus up to the FGPA was very beefy...wouldn't you need to
> send flows up there off the data-plane for inspection?

not sure, but their docs talk about using the fpga for doing HFT... so
I presume it's got the abiliity to see all traffic on at least on
interface, eh?

(I believe the fpga is really connected to the bus as a 10g link...
but I haven't tried this I've only read their docs)

> On Thu, Jun 13, 2013 at 2:03 PM, Christopher Morrow
> <morrowc.lists () gmail com> wrote:
> > On Thu, Jun 13, 2013 at 3:32 PM, Eric Wustrow <ewust () umich edu> wrote:
> > > Hi all,
> > >
> > > I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10
> > > gbps
> > > link, with new blocked flows being dropped within a millisecond or so of
> > > being
> > > added. I've been looking into using OpenFlow on an HP Procurve, but I
> > > don't
> > > know much in this area, so I'm looking for better alternatives.
> >
> > this sounds like a job for the arista box with the FGPA onboard, no?
> >
> >
> > > Ideally, such a device would add minimal latency (many/expandable CAM
> > > entries?), can handle many programatically added flows (hundreds per
> > > second),
> > > and would be deployable in a production network (fails in bypass mode).
> > > Are
> > > there any
> > > COTS devices I should be looking at? Or is the market for this all under
> > > the table to
> > > pro-censorship governments?
> > >
> > > Thanks,
> > >
> > > -Eric
>
>
>
> --
> Phil Fagan
> Denver, CO
> 970-480-7618