Date: Thu, 19 Sep 1996 13:55:43 -0400 From: dennis@etinc.com (Dennis) To: Joe Greco <jgreco@brasil.moneng.mei.com> Cc: hackers@freebsd.org Subject: Re: Routers - hardware received wisdom Message-ID: <199609191755.NAA13350@etinc.com>
next in thread | raw e-mail | index | archive | help
>> Joe, with all due respect.... >> >> It depends on "why" the packets were dropped. With our product, they can >> be dropped only if.... >> >> 1) The recieve process cannot get a buffer >> 2) The on-board buffers become overrun. >> >> Only 2 is a CPU issue, and there is virtually no way the you can get that >> situation on >> a single T1 unless your machine is off doing something else for long periods of >> time...like processing ethernet packets. With 2 byte packets, yes, but not with >> IP size packets (44 or more bytes). This is so highly unusual that it >> shouldnt be >> considered. >> >> Dennis >> >> Dennis > >Dennis^2, > >With all due respect, squared... the case where the machine is acting >as a _router_ is precisely what I am talking about... the case where >the CPU is maxxed out, inbound Ethernet packets are being silently >ignored because the CPU is maxxed out, and the outbound bandwidth on >the T1 is less than saturation. Or vice versa: inbound packets on the >T1 interface are getting dropped because the CPU is too busy dealing >with the previous packets. Or both conditions simultaneously. >You _can_ saturate a 486DX5/133 by routing ping sized packets. > >I believe your average ping packet is about 100 bytes, including IP header, >etc. > >A T1 is 1.544Mbps, at 8 bit bytes that is about 193,000 bytes/sec. >That means the router needs to handle 1930 packets per second. When >you consider that that means 1930 _in_ via one interface and _out_ via >another, that means 3860 packets per second - assuming the remote >site does not respond to your pings. Remember that T1 is full-duplex.....so you need to double the potential.... > >My observations during stress testing have been that at 500 packets per >second, the CPU is maybe 85-90% idle. Linearly extrapolating to CPU >saturation, I conclude that the CPU should be able to handle 3000-5000 >packets per second... however my observed performance indicates that it >is not linear and performance falls off at about 50% CPU idle... and >3000 pps is a good number to be able to hit. The number we are >contemplating (3860) is in excess of that. > >Now start considering what happens when the replies for those pings come >in. :-) > >Or what happens when somebody starts shooting zillions of small packets >at you in a denial of service attack. > >Think it can't/won't happen? Think of what would happen to you if >somebody started pounding on www.etinc.com with a "small packet" attack >from a DS3 connected site. What can you do? You _must_ receive the >packets, or you _must_ go off line. This may not be such a concern to >a small business, but an ISP who has paying customers... such an attack >could be deadly. Id doesnt matter what they are connected at.....you cant receive at higher then your bandwidth....you cant kill me on my 56k line, you just CANT do it! > >I am not saying it is typical or it is even a major concern, but people >need to know what the _worst_ case scenario is in order to make >intelligent decisions. > >I have seen the same router we are discussing saturate a T1 at 96% idle >(ok it was fluctuating in the low 90's and that was the peak) with a >large number of FTP transfers. There is _NO DOUBT_ in my mind that this >is great. > >For what it's worth, I have seen or heard stories of other folks with >"T1" capable hardware that gets swamped with much lower levels of packet >traffic than this. I firmly believe that this is one of the best soln's >available to anyone building a router. However, _there_ _are_ _limits_ >to what you can expect out of the system. Please...T1 hardware is not the issue. The board can do 16Mbs single flag separated. The issue is the ability of the host to get the packet off of the board. at 5us per character, you've got 200us to pull off a 40byte packet. Thats your limit on the board. You've got a 32K buffer to protect against cpu contention, which is plenty. Now ethernet is more difficult. The PCI cards are bus masters, so the only hardware reason to drop packets is that you cant get the bus....considering there is no memory on the card, you have to transfer at full bandwidth 100% of the time. I'm not sure that you are correctly diagnosing the reason that packets are getting dropped, and its certainly not easy to do so. Although it is true that most '486 ISA/PCI bridge chipsets are very inefficient....there could be a limitation there as well. The bottom line is that, normally, a '486 is fine for a T1 or even 2. Cisco 2501s are less intelligent and have a 30mhz 68030.....and lots of people use them. Dennis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609191755.NAA13350>