[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

To: "C. Harald Koch" <chk@utcc.utoronto.ca>
Subject: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
From: Norman Shulman <norm@border.com>
Date: Wed, 23 Apr 1997 16:49:33 -0400
cc: ipsec@tis.com
In-Reply-To: <97Apr23.144337edt.11650@janus.border.com>
Sender: owner-ipsec@ex.tis.com

On Wed, 23 Apr 1997, C. Harald Koch wrote:

> In message <9704181331.AA15062@cichlid.raleigh.ibm.com>, Thomas Narten writes:
> > I also agree, and have been disheartened by the number of times the
> > above question has been asked but not answered.  Indeed, it has been
> > my impression that the vast majority of IP packets are delivered in
> > order (one reason why TCP's header prediction works well in
> > practice). It is rare in practice to have packets arrive out of
> > order. Which begs the question of whether a window is even
> > needed. Does someone have data that argues otherwise?
> 
> Two sample points, my internet firewalls (A good place to look, since they
> re-synthesize all TCP streams in/out. This is roughly akin to combining the
> statistics for all 100 hosts behind the firewalls...).
> 
> ----- elgreco -----
>  2:39pm  up 11 days,  4:51,  1 user,  load average: 0.25, 0.16, 0.05
> 
>         5796665 packets received
>                 2703533 acks (for 1066489852 bytes)
>                 3301088 packets (900448165 bytes) received in-sequence
>                 107878 completely duplicate packets (10966707 bytes)
>                 987 packets with some dup. data (122695 bytes duped)
>                 198927 out-of-order packets (40226774 bytes)
> 
> 
> ----- janus -----
>  2:38pm  up 11 days,  4:52,  1 user,  load average: 0.02, 0.06, 0.02
> 
>         28417190 packets received
>                 19533317 acks (for 371944057 bytes)
>                 21278080 packets (176197867 bytes) received in-sequence
>                 51170 completely duplicate packets (12418673 bytes)
>                 519 packets with some dup. data (63691 bytes duped)
>                 199859 out-of-order packets (69912188 bytes)
> 
> 
> That's 6.4 percent on elgreco, and 2.3 percent on janus, of all data packets
> received out-of-order. I wouldn't define that as "rare", especially given the
> (additional) performance penalties for dropping them instead of queueing them.

This is interesting data, but I think the percentages were miscalculated.
Apparently the formula used was out-of-order/(total - acks). But
note that acks + in-sequence > total, so it seems that acks includes all acks,
isolated and piggy-backed. I'm not sure exactly how all the statistics fit
together, but using a conservative formula that considers everything except
isolated acks

	out-of-order/(in-sequence + duplicates + out-of-order)

gives 5.5% on elgreco and 0.9% on janus. These proportions are too high to
ignore.

Norm

                   Norman Shulman      Secure Computing Canada
     	        Systems Developer      Tel 1 416 813 2075
                  norm@border.com      Fax 1 416 813 2001

References:

Re: Comments on draft-ietf-ipsec-new-auth-00.txt

From: "C. Harald Koch" <chk@utcc.utoronto.ca>

Prev by Date: RE: notes from developer's portion of IETF meeting
Next by Date: RE: notes from developer's portion of IETF meeting
Prev by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Next by thread: Re: Comments on draft-ietf-ipsec-new-auth-00.txt
Index(es):
- Main
- Thread