nanog mailing list archives
Re: Blocking TCP flows?
From: Phil Fagan <philfagan () gmail com>
Date: Thu, 13 Jun 2013 16:37:57 -0600
I really like the idea of a stripe of linux boxes doing the heavy lifting. Any suggestions on platforms, card types, and chip types that might be better purposed at processing this type of data? I assume you could write some fast Perl to ingest and manage the tables? What would the package of choice be for something like this? On Thu, Jun 13, 2013 at 3:11 PM, Jonathan Lassoff <jof () thejof com> wrote:
Are you trying to block flows from becoming established, knowing what you're looking for ahead of time, or are you looking to examine a stream of flow establishments, and will snipe off some flows once you've determined that they should be blocked? If you know a 5-tuple (src/dst IP, IP protocol, src/dst L4 ports) you want to block ahead of time, just place an ACL. It depends on the platform, but those that implement them in hardware can filter a lot of traffic very quickly. However, they're not a great tool when you want to dynamically reconfigure the rules. For high-touch inspection, I'd recommend a stripe of Linux boxes, with traffic being ECMP-balanced across all of them, sitting in-line on the traffic path. It adds a tiny bit of latency, but can scale up to process large traffic paths and apply complex inspections on the traffic. Cheers, jof On Thu, Jun 13, 2013 at 12:32 PM, Eric Wustrow <ewust () umich edu> wrote:Hi all, I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10gbpslink, with new blocked flows being dropped within a millisecond or so of being added. I've been looking into using OpenFlow on an HP Procurve, but Idon'tknow much in this area, so I'm looking for better alternatives. Ideally, such a device would add minimal latency (many/expandable CAM entries?), can handle many programatically added flows (hundreds per second), and would be deployable in a production network (fails in bypass mode).Arethere any COTS devices I should be looking at? Or is the market for this all under the table to pro-censorship governments? Thanks, -Eric
-- Phil Fagan Denver, CO 970-480-7618
Current thread:
- Blocking TCP flows? Eric Wustrow (Jun 13)
- Re: Blocking TCP flows? Christopher Morrow (Jun 13)
- Re: Blocking TCP flows? Phil Fagan (Jun 13)
- Re: Blocking TCP flows? Christopher Morrow (Jun 13)
- Re: Blocking TCP flows? Phil Fagan (Jun 13)
- Re: Blocking TCP flows? Jonathan Lassoff (Jun 13)
- Re: Blocking TCP flows? Phil Fagan (Jun 13)
- Re: Blocking TCP flows? Phil Fagan (Jun 13)
- Re: Blocking TCP flows? Jonathan Lassoff (Jun 13)
- Re: Blocking TCP flows? Phil Fagan (Jun 13)
- Re: Blocking TCP flows? shawn wilson (Jun 13)
- Re: Blocking TCP flows? Phil Fagan (Jun 13)
- Re: Blocking TCP flows? Christopher Morrow (Jun 13)
- Re: Blocking TCP flows? Christopher Morrow (Jun 13)
- Re: Blocking TCP flows? Jeff Kell (Jun 13)
- Re: Blocking TCP flows? QliX=D! [aka EHB] (Jun 14)