Great Circle Associates Firewalls
(January 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Access-lists and performance
From: Rob Liebschutz <rob @ rjl . com>
Date: Thu, 26 Jan 1995 12:45:22 -0800
To: firewalls @ GreatCircle . COM 
> Has anyone here actually had noticeable or problematic
> performance degradation due to the processing of access-lists?
> If so, what platform and how big was the list?  Thanks.

Though I have not done actual measurements, I would speculate that in
some router implementations, incoming access lists on a fast network
interface might create a performance problem, but outgoing access
lists probably won't in situations where the Internet connection is
only 56kb and T1 like most of us have today.

It seems to me that the use of an incoming access lists on an
interface over an outgoing access lists, might, depending on the
design of the router, reduce the buffering capability and the ability
of the router to be be doing simultaneous packet switching and
routing.

With outgoing access lists, packets can be held in both input and
output buffers and be passing through intermediate stages of
processing while the access check is done.

With incoming access lists, the packet has to be held on the input
side of the router and you can't do anything else with it until you
complete your access check.

This might affect you if you have a very fast interface on the
internal network and a very slow one on the external network, then the
router might be more prone to dropping incoming packets when it gets
busy.

I would think it possible to design a router that can deal with this
situation, but there would be a cost involved in doing so.

I would definitely agree with Paul Traina that it is a better idea to
use outgoing access lists whenever possible.  Maybe he could tell us
weather or not there is an actual performance penalty for using
incoming lists.

You can also design your access list such that the most frequently
occuring permit cases appear earliest in the access list when
possible.  Of course less optimal ordering may be neccessary in some
cases for correctness.  The denys for the spoofing attacks most
definitely do need to be at the beginning of the access list.  (In
general any deny's need to precede other permits which could
potentially let through undesirable packets).

Rob
Indexed By Date Previous: Re: What was the final consensus on Sidewinder?
From: Rick Smith <smith @ sctc . com>
Next: Re: Firewalls vs IP Spoofing
From: "Frank Byrum" <byrum @ vbv . dec . com>
Indexed By Thread Previous: Re: Access-lists and performance
From: Howard Berkowitz <hcb @ clark . net>
Next: Strange Ports
From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Google
 
Search Internet Search www.greatcircle.com