From: Florian Weimer <fw@deneb.enyo.de>
To: Jamal Hadi <hadi@shell.cyberus.ca>
Cc: ralph+d@istop.com, CIT/Paul <xerox@foonet.net>,
"'Simon Kirby'" <sim@netnation.com>,
"'David S. Miller'" <davem@redhat.com>,
"netdev@oss.sgi.com" <netdev@oss.sgi.com>,
"linux-net@vger.kernel.org" <linux-net@vger.kernel.org>
Subject: Re: Real World Routers 8-)
Date: Wed, 11 Jun 2003 20:41:51 +0200 [thread overview]
Message-ID: <877k7scv80.fsf_-_@deneb.enyo.de> (raw)
In-Reply-To: <20030611074007.S39760@shell.cyberus.ca> (Jamal Hadi's message of "Wed, 11 Jun 2003 07:47:44 -0400 (EDT)")
Jamal Hadi <hadi@shell.cyberus.ca> writes:
> Ok, this is interesting. I have never seen the flows per second
> used for simple L3 forwading. I have seen them being used for NAT or
> firewalling.
Some vendors still sell flow-based routers, and you should be able to
get this numbers if the vendor doesn't try to scam you.
> Looking at the sprint traffic patterns, i think flows/sec is a
> meaningful metric.
It's important to look at this number when buying a router, but I
still think that stateless IP fowarding is the way to go even if you
haven't got specialized hardware (TCAM).
>> Most vendors have learnt that people want routers with comforting
>> worst-case behavior. However, you have to read carefully, e.g. a
>> Catalyst 6500 with Supervisor Engine 1 (instead of 2) can only create
>> 650,000 flows per second, even if it has a much, much higher peak IP
>> forwarding rate.
>>
>
> So 2Mpps of 650Kflows/sec ?
Exactly. (You can use a different Supervisor Engine and get stateless
IP switching at 2 Mpps, at least according to the data sheets.)
> We should be able to punish specific misbehaving flows.
This is quite difficult because misbehaving flows often consist of a
single packet. Managing state for such flows is a waste, but you
hardly can now this when you have to decide whether you want to create
a new flow or not.
If you want to punish per-interface flows, forget it. Most routers
are not sufficiently multi-homed to make a difference, and attacks
often hit routers on multiple interfaces.
> Do you know if any routers are implementing proper DOS tracebacks to
> allow for inserting drop filters?
You mean IP Pushback? I haven't seen it on production routers, and
I'm pretty sure that no one uses it yet.
Flow-based traffic monitoring is available on most routers nowadays
(often sampled, though), even on routers that perform stateless IP
forwarding.
Anyway, just dropping packets locally doesn't help you *that* much,
you need cooperation of your upstream (and automated cooperation à la
IP Pushback is still far, far away, I presume).
next prev parent reply other threads:[~2003-06-11 18:41 UTC|newest]
Thread overview: 226+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-05 16:37 Route cache performance under stress Florian Weimer
2003-04-05 18:17 ` Martin Josefsson
2003-04-05 18:34 ` Willy Tarreau
2003-05-16 22:24 ` Simon Kirby
2003-05-16 23:16 ` Florian Weimer
2003-05-19 19:10 ` Simon Kirby
2003-05-17 2:35 ` David S. Miller
2003-05-17 7:31 ` Florian Weimer
2003-05-17 22:09 ` David S. Miller
2003-05-18 9:21 ` Florian Weimer
2003-05-18 9:31 ` David S. Miller
2003-05-19 17:36 ` Jamal Hadi
2003-05-19 19:18 ` Ralph Doncaster
2003-05-19 22:37 ` Jamal Hadi
2003-05-20 1:10 ` Simon Kirby
2003-05-20 1:14 ` David S. Miller
2003-05-20 1:23 ` Jamal Hadi
2003-05-20 1:24 ` David S. Miller
2003-05-20 2:13 ` Jamal Hadi
2003-05-20 5:01 ` Pekka Savola
2003-05-20 11:47 ` Jamal Hadi
2003-05-20 11:55 ` Pekka Savola
2003-05-20 6:46 ` David S. Miller
2003-05-20 12:04 ` Jamal Hadi
2003-05-21 0:36 ` David S. Miller
2003-05-21 13:03 ` Jamal Hadi
2003-05-23 5:42 ` David S. Miller
2003-05-22 8:40 ` Simon Kirby
2003-05-22 8:58 ` David S. Miller
2003-05-22 10:40 ` David S. Miller
2003-05-22 11:15 ` Martin Josefsson
2003-05-23 1:00 ` David S. Miller
2003-05-23 1:01 ` David S. Miller
2003-05-23 8:21 ` Andi Kleen
2003-05-23 8:22 ` David S. Miller
2003-05-23 9:03 ` Andi Kleen
2003-05-23 9:59 ` David S. Miller
2003-05-24 0:41 ` Andrew Morton
2003-05-26 2:29 ` David S. Miller
2003-05-22 11:44 ` Simon Kirby
2003-05-22 13:03 ` Martin Josefsson
2003-05-23 0:55 ` David S. Miller
2003-05-22 22:33 ` David S. Miller
2003-05-29 20:51 ` Simon Kirby
2003-06-02 10:58 ` Robert Olsson
2003-06-02 15:18 ` Simon Kirby
2003-06-02 16:36 ` Robert Olsson
2003-06-02 18:05 ` Simon Kirby
2003-06-09 17:21 ` David S. Miller
2003-06-09 17:19 ` David S. Miller
2003-05-23 0:59 ` David S. Miller
2003-05-26 7:18 ` Florian Weimer
2003-05-26 7:29 ` David S. Miller
2003-05-26 9:34 ` Florian Weimer
2003-05-27 6:32 ` David S. Miller
2003-06-08 11:39 ` Florian Weimer
2003-06-08 12:05 ` David S. Miller
2003-06-08 13:10 ` Florian Weimer
2003-06-08 23:49 ` Simon Kirby
2003-06-08 23:55 ` CIT/Paul
2003-06-09 3:15 ` Jamal Hadi
2003-06-09 5:27 ` CIT/Paul
2003-06-09 5:58 ` David S. Miller
2003-06-09 6:28 ` CIT/Paul
2003-06-09 6:28 ` David S. Miller
2003-06-09 16:23 ` Stephen Hemminger
2003-06-09 16:37 ` David S. Miller
2003-06-09 7:13 ` Simon Kirby
2003-06-09 8:10 ` CIT/Paul
2003-06-09 8:27 ` Simon Kirby
2003-06-09 19:38 ` CIT/Paul
2003-06-09 21:30 ` David S. Miller
2003-06-09 22:19 ` Simon Kirby
2003-06-09 22:54 ` Robert Olsson
2003-06-13 6:21 ` David S. Miller
2003-06-13 10:40 ` Robert Olsson
2003-06-15 6:36 ` David S. Miller
2003-06-17 17:03 ` Robert Olsson
2003-06-09 22:56 ` CIT/Paul
2003-06-09 23:05 ` David S. Miller
2003-06-10 13:41 ` Robert Olsson
2003-06-10 0:03 ` Jamal Hadi
2003-06-10 0:32 ` Ralph Doncaster
2003-06-10 1:15 ` Jamal Hadi
2003-06-10 2:45 ` Ralph Doncaster
2003-06-10 3:23 ` Ben Greear
2003-06-10 3:41 ` Ralph Doncaster
2003-06-10 18:10 ` Ralph Doncaster
2003-06-10 18:21 ` Ben Greear
2003-06-10 4:34 ` Simon Kirby
2003-06-10 11:01 ` Jamal Hadi
2003-06-10 11:28 ` Jamal Hadi
2003-06-10 13:18 ` Ralph Doncaster
2003-06-10 16:10 ` David S. Miller
2003-06-10 10:53 ` Jamal Hadi
2003-06-10 11:41 ` chas williams
2003-06-10 16:27 ` David S. Miller
2003-06-10 16:57 ` chas williams
2003-06-10 11:41 ` Pekka Savola
2003-06-10 11:58 ` John S. Denker
2003-06-10 12:12 ` Jamal Hadi
2003-06-10 16:33 ` David S. Miller
2003-06-10 12:07 ` Jamal Hadi
2003-06-10 15:29 ` Ralph Doncaster
2003-06-11 19:48 ` Florian Weimer
2003-06-11 19:40 ` CIT/Paul
2003-06-11 21:09 ` Florian Weimer
2003-06-10 13:10 ` Ralph Doncaster
2003-06-10 13:36 ` Jamal Hadi
2003-06-10 14:03 ` Ralph Doncaster
2003-06-10 16:38 ` David S. Miller
2003-06-10 16:39 ` David S. Miller
2003-06-10 18:41 ` Florian Weimer
2003-06-11 11:47 ` Was (Re: " Jamal Hadi
2003-06-11 18:41 ` Florian Weimer [this message]
2003-06-10 15:53 ` David S. Miller
2003-06-10 16:15 ` 3c59x (was Route cache performance under stress) Bogdan Costescu
2003-06-10 16:20 ` Andi Kleen
2003-06-10 16:23 ` Jeff Garzik
2003-06-10 17:02 ` 3c59x David S. Miller
2003-06-10 17:16 ` 3c59x Jeff Garzik
2003-06-10 17:14 ` 3c59x David S. Miller
2003-06-10 17:25 ` 3c59x Jeff Garzik
2003-06-10 17:30 ` 3c59x David S. Miller
2003-06-10 19:20 ` 3c59x Jeff Garzik
2003-06-10 19:21 ` 3c59x David S. Miller
2003-06-10 17:18 ` 3c59x Andi Kleen
2003-06-10 17:29 ` 3c59x chas williams
2003-06-10 17:31 ` 3c59x David S. Miller
2003-06-10 17:39 ` 3c59x chas williams
2003-06-10 17:43 ` 3c59x David S. Miller
2003-06-11 17:52 ` Route cache performance under stress Robert Olsson
2003-06-10 1:53 ` Simon Kirby
2003-06-10 3:18 ` Ralph Doncaster
2003-06-10 16:06 ` David S. Miller
2003-06-10 15:56 ` David S. Miller
2003-06-10 16:45 ` 3c59x (was Route cache performance under stress) Bogdan Costescu
2003-06-10 16:49 ` Andi Kleen
2003-06-11 9:54 ` Robert Olsson
2003-06-11 10:05 ` Andi Kleen
2003-06-11 10:38 ` Robert Olsson
2003-06-11 12:08 ` Jamal Hadi
2003-06-10 17:12 ` 3c59x David S. Miller
2003-06-10 17:19 ` Route cache performance under stress Ralph Doncaster
2003-06-10 15:49 ` David S. Miller
2003-06-10 17:33 ` Ralph Doncaster
2003-06-10 17:32 ` David S. Miller
2003-06-10 18:34 ` Robert Olsson
2003-06-10 18:57 ` David S. Miller
2003-06-10 19:53 ` Robert Olsson
2003-06-10 21:36 ` CIT/Paul
2003-06-10 21:39 ` Ralph Doncaster
2003-06-10 22:20 ` David S. Miller
2003-06-10 23:58 ` Ralph Doncaster
2003-06-10 23:57 ` David S. Miller
2003-06-11 0:41 ` Ralph Doncaster
2003-06-11 0:58 ` David S. Miller
2003-06-11 0:58 ` David S. Miller
2003-06-11 0:51 ` Ben Greear
2003-06-11 1:01 ` David S. Miller
2003-06-11 1:15 ` Ben Greear
2003-06-11 1:22 ` David S. Miller
2003-06-11 1:51 ` Ben Greear
2003-06-11 3:33 ` David S. Miller
2003-06-11 11:54 ` gettime: Was (Re: " Jamal Hadi
2003-06-11 12:08 ` Andi Kleen
2003-06-12 3:30 ` David S. Miller
2003-06-12 6:32 ` Ben Greear
2003-06-12 8:46 ` David S. Miller
2003-06-11 15:57 ` Ben Greear
2003-06-12 3:29 ` David S. Miller
2003-06-11 1:17 ` Ralph Doncaster
2003-06-11 1:23 ` David S. Miller
2003-06-11 7:28 ` Andi Kleen
2003-06-11 7:25 ` Andi Kleen
2003-06-11 17:40 ` Robert Olsson
2003-06-13 5:38 ` David S. Miller
2003-06-13 10:22 ` Robert Olsson
2003-06-13 17:15 ` Robert Olsson
2003-06-12 6:45 ` David S. Miller
2003-06-12 13:56 ` Robert Olsson
2003-06-12 21:35 ` David S. Miller
2003-06-13 10:50 ` Robert Olsson
2003-06-10 0:56 ` Ralph Doncaster
2003-06-09 11:38 ` Jamal Hadi
2003-06-09 11:55 ` David S. Miller
2003-06-09 12:18 ` Jamal Hadi
2003-06-09 12:32 ` David S. Miller
2003-06-09 13:22 ` Jamal Hadi
2003-06-09 13:22 ` David S. Miller
2003-06-09 8:56 ` David S. Miller
2003-06-09 22:39 ` Robert Olsson
2003-06-09 6:25 ` David S. Miller
2003-06-09 6:59 ` Simon Kirby
2003-06-09 7:03 ` David S. Miller
2003-06-09 13:04 ` Ralph Doncaster
2003-06-09 13:26 ` Jamal Hadi
2003-06-09 5:44 ` David S. Miller
2003-06-09 5:51 ` CIT/Paul
2003-06-09 6:03 ` David S. Miller
2003-06-09 6:52 ` Simon Kirby
2003-06-09 6:56 ` David S. Miller
2003-06-09 7:36 ` Simon Kirby
2003-06-09 8:18 ` Simon Kirby
2003-06-09 8:22 ` David S. Miller
2003-06-09 8:31 ` Simon Kirby
2003-06-09 9:01 ` David S. Miller
2003-06-09 9:47 ` Andi Kleen
2003-06-09 10:03 ` David S. Miller
2003-06-09 10:13 ` Andi Kleen
2003-06-09 10:13 ` David S. Miller
2003-06-09 10:40 ` YOSHIFUJI Hideaki / 吉藤英明
2003-06-09 10:40 ` David S. Miller
2003-06-09 14:14 ` David S. Miller
2003-06-09 6:47 ` Simon Kirby
2003-06-09 6:49 ` David S. Miller
2003-06-09 13:28 ` Ralph Doncaster
2003-06-09 16:30 ` Simon Kirby
2003-06-17 20:58 ` Florian Weimer
2003-06-09 5:38 ` David S. Miller
2003-06-10 3:05 ` Steven Blake
2003-06-12 6:31 ` David S. Miller
2003-06-08 17:58 ` Pekka Savola
2003-05-21 0:09 ` Simon Kirby
2003-05-21 0:13 ` David S. Miller
2003-05-26 9:29 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877k7scv80.fsf_-_@deneb.enyo.de \
--to=fw@deneb.enyo.de \
--cc=davem@redhat.com \
--cc=hadi@shell.cyberus.ca \
--cc=linux-net@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=ralph+d@istop.com \
--cc=sim@netnation.com \
--cc=xerox@foonet.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.