[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Filter performance req rewritten

To: opsec@ops.ietf.org
Subject: Filter performance req rewritten
From: George Jones <gmj@pobox.com>
Date: Sat, 21 Feb 2004 08:57:19 -0800 (PST)
Reply-to: gmj@pobox.com

The filter performance req was one that seemed to be causing trouble.
Rewritten version below.  Synopsis: stateless, layer 3/4 with caveats
about the interpretation of "significant performance degradation"

See if this is better.

04> 2.7.4 Ability to Filter Without Significant Performance Degradation
04>
04>    Requirement.
04>
04>       The device MUST provide a means to filter packets without
04>       significant performance degradation. This specifically applies
04>       to stateless packet filtering operating on layer 3 (IP) and
04>       layer 4 (TCP or UDP) headers, as well as normal packet
04>       forwarding information such as incoming and outgoing interfaces.
04>
04>       The device MUST be able to apply stateless packet filters on ALL
04>       interfaces (up to the maximum number possible) simultaneously
04>       and with multiple filters per interface (e.g., inbound and
04>       outbound).
04>
04>    Justification.
04>
04>       This enables the implementation of filtering wherever and
04>       whenever needed.  To the extent that filtering causes
04>       degradation, it may not be possible to apply filters that
04>       implement the appropriate policies.
04>
04>    Examples.
04>
04>       Another way of stating the requirement is that filter
04>       performance should not be the limiting factor in device
04>       throughput.  If a device is capable of forwarding 30Mb/sec
04>       without filtering, then it should be able to forward the same
04>       amount with filtering in place.
04>
04>    Warnings.
04>
04>       The definition of "significant" is subjective.  At one end of
04>       the spectrum it might mean "the application of filters may cause
04>       the box to crash".  At the other and would be a throughput loss
04>       of less than one percent with tens of thousands of filters
04>       applied.  The level of performance degradation that is
04>       acceptable will have to be determined by the operator.
04>
04>       Repeatable test data showing filter performance impact would be
04>       very useful in evaluating conformance with this requirement.
04>       Tests should include such information as packet size, packet
04>       rate, number of interfaces tested (source/destination), types of
04>       interfaces, routing table size, routing protocols in use,
04>       frequency of routing updates, etc. See
04>       [I-D.ietf-bmwg-acc-bench-framework].
04>
04>       This requirement does not address stateful filtering, filtering
04>       above layer 4 headers or other more advanced types of filtering
04>       that may be important in certain operational environments.

George M. Jones    |  Lawyers rip into people like a monkey rips into a
                   |  cupcake.
                   |
                   |      Ray Romano
gmj@pobox.com

Prev by Date: RE: draft status, BoF, replies to issues
Next by Date: availability
Previous by thread: Reply to comments on opsec draft from Bert Wijnen/OPS directorate. Part 1.
Next by thread: RE: availability
Index(es):
- Date
- Thread