Paul Robertson wrote: > > Hmmm, is this because "normal" rules aren't optimized or hashed, but state > tables were kind of pre-assumed to be a performance issue, and therefore > given performance attention at the design stage? Maybe it's just because > the state information is easy to do a boolean comparison on? I'll concede that maybe our rule lookups could be faster. Heck, not even maybe, they _could_ be faster, given enough head scratching and cool algorithm design. It's just that it sort of feels iffy to me. The ruleset is the ultimate policy enforcement point. I'm personally not altogether comfortable with changing this from an easily verifiable linear lookup with straight- forward comparisons to some n-dimensional single-hop constant-time lookup that you need a master's degree in math and a minor in CS to understand. This is not to say that it hasn't been done. There was this company that shall remain nameless that sold cool blue boxes with blitzingly fast rule lookups and no statefulness. Today, they tout header compression. > Have any kind of feel for where the line is? Daniel's 5000 to 100 mention > has me wondering if we can codify the sorts of places where this can be an > easy performance win for folks who are in high utilization scenerios. Ugh. If it was just a line, I might be able to give you an estimate. Unfortunately, it's more like a 3D function surface of state creation rate, ruleset size, and raw throughput. Not to mention product specifics. It is however an interesting question. I think I'll coherce the QA people into cranking out some more diagrams when I'm done abusing them with all the testing for the current release :) For our software on current hardware, I think something along the line of "tens of thousands of connections per second" coupled with "the first handful of rules" would be where statelessness might pay off, but I don't think that's anywhere near useful as general advice. > Why can't I log stateless rules? Answered in another subthread. > [1] We had a dearth of gameshow sounds in this thread ;) *meEEep* -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 14:44:34 PDT