Great Circle Associates Firewalls
(July 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Packet filtering overhead
From: ted . doty @ nsco . network . com
Date: Fri, 15 Jul 94 11:38:07 PDT
To: tdnadeau @ xap . xyplex . com
Cc: firewalls @ greatcircle . com, breinhar @ tomahawk . welch . jhu . edu

>>dot> absolutely no performance difference between 1 and 200. Note
>>dot> that order is important for security reasons (you don't want
>>dot> your router arbitrarially reordering the filters), but this is
>>dot> not a performance issue if you have a hash.
>		Well, actually it is.  If you order your filters in such 
a way
>as to require multiple look-ups, then the router is doing a lot of
>wasted work just to determine that it should drop a packet.
>Therefore, it does not matter which data lookup algorithm the router
>is actually using if the administrator mis-orders the filter table,
>since in every case there will be an additional performance hit.

Well, we did a standard Bradner-style test where the tester sent packets
to each of these sockets (all 200) and we saw no performance difference
between 1 filter and 200.

I don't want to turn this into a discussion of hashing algorithms, but
in general, hashing into a list should land you very close to the list
entry you want, unless your hashing algorithm is brain-dead.

By way of summary, we do NOT do sequential lookups, we hash based on
{ip_source,ip_destination} address pairs.

You CAN do interface filtering (or even sequential list lookup if you
really want to kill your performance) on our routers, but we try to
emphasize appropriate filtering on the appropriate filter points.

I agree that if the administrator doesn't know what he's doing, you'll
get crummy performance.  This just shows that packet filtering is like
everything else.

- Ted
Ted Doty, Network Systems Corporation | phone:      +1 301 596-2270
8965 Guilford Road, Suite 250         | fax:        +1 410 381-3320
Columbia, MD, 21046 USA               | voice mail: (800) 233-1485
Wenn ist das Nunstuck git und Slotermeyer? Ja! ... Beierhund das Oder
die Flipperwaldt gersput!

Indexed By Date Previous: Re: Packet filtering overhead
From: tdn @ tdn . xyplex . com (Thomas Nadeau)
Next: Fast Firewalls/bastion host.
From: Chuck Yerkes <yerkes_chuck @ jpmorgan . com>
Indexed By Thread Previous: Re: Packet filtering overhead
From: tdn @ tdn . xyplex . com (Thomas Nadeau)
Next: Re: Packet filtering overhead
From: Tony Li <tli @ cisco . com>

Search Internet Search