[4608] in North American Network Operators' Group
High-speed filtering boxes (Was: Re: SYN floods...)
daemon@ATHENA.MIT.EDU (Paul Frommeyer)
Thu Sep 19 04:41:56 1996
To: perry@piermont.com
Cc: nanog@merit.edu
In-Reply-To: Your message of Thu, 12 Sep 1996 14:41:09 -0400.
<199609121841.OAA06820@jekyll.piermont.com>
Date: Thu, 19 Sep 1996 01:38:42 -0700
From: "Paul Frommeyer" <corwin@milo.palas.com>
"Perry E. Metzger" <perry@piermont.com> is alleged to have said:
| BTW, I would suggest that for a variety of applications, hardware
| assisted filtering boxes that simply take in IP one end and put out
| processed IP on the other end would be of use -- not just for this,
| but also for helping in doing packet traces through high traffic
| areas, for implementing firewalls, and for all sorts of other
| things. Vendors, are you listening?
Listening? Um, we make such a product, it's been shipping for some time. Our
network address translator, product name Private Internet Exchange, can do
what you ask, and with speed to spare, too. It seems to be sort of an SR-71
for packet-filtering-- our engineers haven't been able to tell me just
what the upper performance bounds are because they seem to have trouble
finding them. Right now we offer Fast Ethernet and Ethernet interfaces; I'm
sure if there's enough market interest we'd look into doing FDDI or perhaps
ATM OC3c. FWIW, last estimates I heard were that the box should scale to
around 70K flows or so, which would be enough to handle a NAP connection,
I should think. This is all at full line rate. More info on our web site, see
http://www.cisco.com/warp/public/751/pix/index.html
I've suggesteed to the PIX engineers that they look into whether it is
possible to have the PIX reserve enough data structures in the IP queue
to "stay ahead" of line rate flooding of SYN packets. In other words, you'd
always have a connection being torn down even as more bogons came in. That
would let good packets through, too, along with the evil ones. No word yet; I
suspect that due to the long timeout needed for bogus source addresses that
this won't be doable, but it'd sure be a nice way to pull the teeth on a
SYN flood.
FWIW,
Cheers,
Paul
Paul "Corwin" Frommeyer
Work Internet Engineer, CCIE Play
ISP Systems Engineer Network Sorcerer At Large
Cisco Systems, Inc. Paul's Fone Company
pfrommey@cisco.com corwin@palas.com
*** Speaking solely for myself unless otherwise noted ***
