Re: Building a Gigabit firewall

[Claudio Jeker <cjeker@ee.ethz.ch>]

On Fri, Feb 01, 2002 at 09:48:38 -0200, Cecilia A. Castro Cesar wrote:
> I'm really worried about gigabit firewall.
> I have read (Computer Network - Tanenbaum), as a rule of thumb, that
> a machine with 100MIPS can treat only 16Mbps! It is mainly because the excessive
> copies in the protocol layers.  The author says that the bottleneck is not the NIC
> itself but the combination CPU, memory and protocols.
> It makes me think that a good OS project is imperative!
> Cecilia
> 
This not fully correct. The horespower of todays CPU is gigantic the
bottelnecks are mainly the memory and even worse the interrupt handling.
Ok the BSD networking stack is not the best but with the mbufs the
"excessive copies in the protocol layers" are not the big problem
(especially because on a firewall the packet never leaves the kernel).

The big problem is interrupt handling. On a 1Gb Ethernet more than 1
million packets per second are possible. If you need an interrup for every
packet you can not reach such high throuputs.

There are two sollutions:
1. reduce interrupt load (handle multiple packets per interrupt, reducing
overhead (less context switches, pci accesses etc...))
I thought that FreeBSD 5 -current has something like this (never had the
time to have a closer look at it)

2. use a different architecture, there is a lot of work on network
processors with the needed power.
Princeton has a system  to handle up to 3 million packets per second
(forwarding only no firewall). For more info see:
http://www.CS.Princeton.EDU/nsg/papers/ixp-sosp.html

-- 
:wq Claudio