Rich Schultz wrote:
>
> The current coast-to-coast RTT in the US on
> leased fiber (not using the Internet) is about 70ms. Switches will get
> faster, but this RTT is going to stay above 50ms. Your firewall's context
> switches are already fast enough for that.
One of us has missed the point (I hope it isn't me again!). The RTT of
a single packet through a stateless firewall is pretty much irrelevant
at FDDI speeds. Sure, the *per packet* overhead is marginal, but if
you do have an FDDI link, the overall bandwidth-gating item will
probably be the firewall. You'll be paying for a high-bandwidth link
to the outside world, and it will run into packet starvation on
trasmit, and dropped packets on receive. The worst-case packet is a
TELNET packet, with a single keystroke. Imagine tons of PCs,
workstations and terminal servers all connecting through a firewall.
41 bytes per keystroke (approximately). That is somewhere between 3
and 5 *microseconds* per packet at FDDI rates. As Marcus says
(correctly!), there's no point getting ulcers about imagined future
problems. However, the problem is very real, and will be on our
doorstep sooner than we think. If the correct architecture is currently
in place, then it will scale quite nicely when the time comes. Having to
context-switch to userland on each datagram isn't going to work in the
long term. If you can make a quick yay-nay decision, then OK, flat out,
an Intel-based firewall *might* keep up. However, with all those
hosts, and ACL files with rules like "If this is Tuesday, and the
Connection is to Belgium, and there's an R in the month, then OK,
maybe...", the picture begins to shift. In firewall design, we can't
afford to be blindsided by high performance networks. We don't have to
try and make the machines Donner Und Blitzen fast today, but do the
homework today, and go to the beach while everyone else is madly trying
to re-architect their product. Just my tuppence worth...
- Der
|
|
