[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-morrow-filter-caps-00 comments

To: <gmj@pobox.com>, "'Christopher L. Morrow'" <christopher.morrow@mci.com>
Subject: RE: draft-morrow-filter-caps-00 comments
From: "Barry Raveendran Greene" <bgreene@cisco.com>
Date: Tue, 8 Mar 2005 10:02:19 -0800
Cc: "'Pekka Savola'" <pekkas@netcore.fi>, <opsec@ops.ietf.org>
In-reply-to: <c1468ac50503080909442beac2@mail.gmail.com>
Organization: Cisco Systems

> > > 2)
> > >
> > > 2.1.3  Ability to Filter Traffic To the Device - Minimal 
> Performance
> > >        Degradation
> > >
> > > ==> this section is too ambiguous to be of any real use.  I guess 
> > > you'll _have_ to specify at least "minimum" minimum performance 
> > > degradation -- if the vendor can't perform even _that_, 
> it shouldn't 
> > > claim to be compliant (e.g., a device should be able to 
> deal with 50 
> > > address/port based rules with no change to the maximum 
> transfer rate 
> > > with 20 byte packets).
> > 
> > The performace degradation I was aiming at was: "console access" or 
> > "management access" limitations... a 7206 can filter (sort 
> of) 5kpps 
> > aimed at the device once you put on recieve-path acls, but 
> it won't be 
> > very happy about that filtering and device CPU will shoot to 99% :( 
> > That's unacceptable. Filtering "TO THE DEVICE" should have 
> no impact 
> > on device CPU/management/console...
> 
> That's a useful distinction....I we do want to address the 
> filter THROUGH 
> w/mimimal degredation as well.

I still do not understand where you get the processing power to classify and
drop the packet destined to the router. The expectation that some sort of
processing cycles will magically appear on a CPU based platform is not match
reality of how a packet is processed. It does not matter what type of OS you
have, you're still going to get CPU spikes under a DOS directed at the box.
I've been through five different OS architectures on our gear and all have
CPU spikes. The differences are all on how many drops do you process before
you start taildropping in your input queues.

As I mention before management/console impact can be mitigated through CPU
scheuduling tricks. So that is a requirement that is achieveable by vendors
who build CPU based equipment. 

ASIC platforms are different. You can layer, contain, microcode, queue, and
do other things to insure that the classification/action/accounting on
packets destined for the device has minimal co-lateral impact.

References:
- Re: draft-morrow-filter-caps-00 comments
  - From: George Jones <eludom@gmail.com>

Prev by Date: Re: draft-morrow-filter-caps-00 comments
Next by Date: Re: draft-morrow-filter-caps-00 comments
Previous by thread: Re: draft-morrow-filter-caps-00 comments
Next by thread: Re: draft-morrow-filter-caps-00 comments
Index(es):
- Date
- Thread