Henning Brauer wrote:
* Florin Andrei <[EMAIL PROTECTED]> [2007-10-09 19:34]:
then, an i386 kernel should perform considerably better than amd64 for
firewalling/routing/...
That is surprising. What is the reason?
we dunno really. it hasn't been benched in sometimesoit might not even
be true nay more, but last time the difference was dramatic.
Then I will do some tests with 4.2 on gigabit-capable hardware. If
anything noteworthy comes out, I'll post the results.
Don't expect something too fancy, but I guess anything is better than
nothing.
How much RAM can the i386 kernel use on an amd64 machine?
4GB minus pci space
Hmmm.
Please correct me if I'm wrong:
Let's say a firewall is connected to a pretty fast Internet pipe (in the
gigabit range). Let's say there's a DDoS against this environment. In
theory, the firewall would need lots of RAM so that it can deal with the
incoming nasty packets, create an entry for each packet in the state
table (don't know the correct name for it in OpenBSD, sorry), then
expire it after a while.
In theory, the firewall could be tweaked to expire unused states
quickly, but still, more RAM is better when dealing with a DDoS.
What's still not clear to me is how much RAM I should provision per 1Gb
of bandwidth on OpenBSD, assuming there's an incoming
worst-case-scenario DDoS, that consumes RAM (and other resources) on the
firewall yet leaves some bandwidth open for legitimate traffic (so the
firewall must be able to continue to let the good traffic pass through).
Also assuming some tweaking has been done on the firewall to expire the
bad stuff quickly without affecting legitimate traffic.
But all that depends on the actual legitimate traffic and on the
firewall rules.
I guess that's another way of saying "more tests are needed". :-/
If the SMP kernel does not actually hurt performance, I might have to use
it.
it does. seriously. locking is not free.
Aw, damn. I was hoping that's not quite the case.
Well, then hopefully the dynamic routing daemons won't get too greedy
and DoS the firewall from within. :-) Or I may have to re-think the
whole environment and forget the idea of doing any kind of dynamic
routing on the firewall - from a security perspective, dynamic routing
on the firewall sucks anyway.
Looks like my performance test matrix just got bigger by a factor of 2x.
:-/ But the bad combinations should get pruned pretty quickly, I guess.
+-----+-------+-------+
| \ | i386 | amd64 |
+-----+-------+-------+
| SMP | | |
+-----+-------+-------+
| UP | | |
+-----+-------+-------+
--
Florin Andrei
http://florin.myip.org/
