[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tero" == Tero Kivinen <kivinen@iki.fi> writes:
Tero> Michael Richardson writes:
>> I'm assuming that assembling fragments at either end for checking
>> is too expensive for high speed boxes that won't wish to queue.
Tero> I don't really belive that. I think there are boxes out there
At 1Gb/s, I believe it.
At 10Gb/s, it is presently hard. Not impossible, but hard.
Once 10Gb/s is solved, it will be hard at 40Gb/s (assuming OC768 is
the next step).
But, if in the functional design specification, we say:
1) cope with fragments
2) have port-selectors
3) be BITW/gateway
pick two, is the *requirement*, then vendors can build the 40Gb/s box
tomorrow that can't do port-selectors, and the one that can, the
following week.
Tero> that can handle 100 MBit/s or even 1 Gbit/s NFS traffic
Tero> without problems. All the packets there are fragments (8kB or
There is a reason that NFS appliance want to move to TCP rather than
UDP (and NFSv4 supports that). There are lots of TCP offload engines out
there, and probably some that can do IPsec as well. With PMTU they can
optimize the packet size, and they don't have to deal with fragments.
Further, if they in-board IPsec, then they aren't a gateway/BITW, so
they can make sure that every fragment gets the same treatment.
Tero> Does anybody have any statistics how much of the packets in
Tero> the net are fragmented?
It varries by which part of the network you look at.
(And I recall a discussion like this at my desk with you, TMO, TATU in
fall of 1997...)
The backbone doesn't have a lot of UDP traffic, except for DNS, which
is kept artificially below the fragmentation limit. Enterprise networks
that might be extended over IPsec VPNs are a different matter. SANs that
get extended might have further different properties.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQFh+zYqHRg3pndX9AQH2IQQA3em4FdcKqij20QderSMZ8lRhUCpSFdow
vyujMUb6rWSb4xCosf22cm3tyEn3x+Xn79ZkOXpCFb7pWsXNixFRwj0b7XyOy5um
QWDcQmzar4NR+kj1h5e+UHf0BMZcu5cy7+ueV+E/jahdoc0WrLztdAfVTjKIap6S
8nx4GonZazg=
=d7gx
-----END PGP SIGNATURE-----
- References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Stephen Kent <kent@bbn.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Tero Kivinen <kivinen@iki.fi>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Tero Kivinen <kivinen@iki.fi>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
- From: Tero Kivinen <kivinen@iki.fi>