Re: Thoughts on firewall performance draft
"Michael C. Richardson" <mcr@sandelman.ottawa.on.ca> Fri, 26 June 1998 20:45 UTC
Received: from smtp-gw.BayNetworks.COM (ns5.baynetworks.com [194.133.90.101]) by dokka.maxware.no (8.8.5/8.8.5) with ESMTP id WAA03536 for <bmwg-archive@alvestrand.no>; Fri, 26 Jun 1998 22:45:33 +0200
Received: from mailhost.BayNetworks.COM ([132.245.135.115]) by smtp-gw.BayNetworks.COM (8.8.8/8.8.8) with ESMTP id WAA18229; Fri, 26 Jun 1998 22:28:15 +0200 (MET DST)
Received: from pobox.engeast.BayNetworks.COM (pobox.engeast.baynetworks.com [192.32.61.6]) by mailhost.BayNetworks.COM (8.8.8/8.8.8) with ESMTP id QAA20377; Fri, 26 Jun 1998 16:28:12 -0400 (EDT)
Received: (majordom@localhost) by pobox.engeast.BayNetworks.COM (SMI-8.6/BNET-97/04/24-S) id QAA02704; Fri, 26 Jun 1998 16:22:44 -0400 for bmwg-outgoing
Received: from mailhost.BayNetworks.COM (ns2.baynetworks.com [134.177.1.109]) by pobox.engeast.BayNetworks.COM (SMI-8.6/BNET-97/04/24-S) with ESMTP id QAA02698; Fri, 26 Jun 1998 16:22:43 -0400 for <bmwg@engeast.BayNetworks.COM>
Received: from smtp-gw.BayNetworks.COM (ext-ns3.baynetworks.com [192.32.253.3]) by mailhost.BayNetworks.COM (8.8.8/8.8.8) with ESMTP id NAA03733 for <bmwg@BayNetworks.COM>; Fri, 26 Jun 1998 13:22:42 -0700 (PDT)
Received: from lox.sandelman.ottawa.on.ca (lox.sandelman.ottawa.on.ca [209.151.24.2]) by smtp-gw.BayNetworks.COM (8.8.8/8.8.8) with ESMTP id QAA11366 for <bmwg@baynetworks.com>; Fri, 26 Jun 1998 16:22:39 -0400 (EDT)
Received: from istari.sandelman.ottawa.on.ca (istari.sandelman.ottawa.on.ca [209.151.24.30]) by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id QAA26390 for <bmwg@baynetworks.com>; Fri, 26 Jun 1998 16:22:33 -0400 (EDT)
Received: from istari.sandelman.ottawa.on.ca ([[UNIX: localhost]]) by istari.sandelman.ottawa.on.ca (8.8.7/8.7.3) with ESMTP id QAA25548 for <bmwg@baynetworks.com>; Fri, 26 Jun 1998 16:22:28 -0400 (EDT)
Message-Id: <199806262022.QAA25548@istari.sandelman.ottawa.on.ca>
To: bmwg@BayNetworks.COM
Subject: Re: Thoughts on firewall performance draft
In-reply-to: Your message of "Fri, 26 Jun 1998 15:25:00 EDT." <199806261925.PAA26657@pobox.engeast.BayNetworks.COM>
Date: Fri, 26 Jun 1998 16:22:26 -0400
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Sender: owner-bmwg@BayNetworks.COM
Precedence: bulk
>>>>> "Kevin" == Kevin Dubray <kdubray@BayNetworks.COM> writes: >> This is wonderful as clarifying concept or term on which to build. As >> a stand-alone metric, I'm not so sure . You referred to measuring >> connection concurrency. This is something that I can and probably >> should measure wrt firewalls. A connection overhead metric may yield >> better insight how an IUT "lifts" or handles connection maintainance. Kevin> Kevin, I'd like a clarification of what's meant by "connection Kevin> overhead." The memory cost of opening a socket is Given n current connections, how much time does it take for the n+1'th connection to be opened. Kevin> implementation-specific, and a DUT/SUT that uses 100 kbytes of Kevin> memory for each connection may or may not move bits on the wire Kevin> more slowly than one requiring only 10 kbytes. That's a firewalls The internals issue is more to do with the kind of data structure that is used to store the connection state. Also, whether or not a new process needs to be created to handle that connection. Kevin> Another option is to make the connection definition(s) very Kevin> specific to the workings of TCP, UDP, and ICMP, and count only Kevin> those conversations which have successfully navigated the setup Kevin> procedures of each protocol. I'm reluctant to do that; better to Kevin> have a more general definition. ICMP isn't a protocol in the same way TCP and UDP are. TCP and UDP make use of IP services. Some of these services are carried by ICMP datagrams. A firewall that doesn't consider an ICMP MUST FRAGMENT to be associated with a TCP connection (i.e. Path MTU discovery) is violating the IP protocol. [The firewall needn't let it in: it could process it locally, adjusting its own view of fragment size and perhaps emitting an ICMP out the other end.] The only ICMP that may consistute a protocol *may* be ECHO/ECHO RESPONSE. :!mcr!: | Sandelman Software Works Corporation, Ottawa, ON Michael Richardson | SSH IPsec: http://www.ssh.fi/. Secure, strong, international Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available. Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
- Re: Thoughts on firewall performance draft Kevin Dubray
- Re: Thoughts on firewall performance draft Michael C. Richardson
- Re: Thoughts on firewall performance draft David Newman