* Florin Andrei <florin@andrei.myip.org> [2007-10-09 22:54]:
quoted text
> Henning Brauer wrote:
>> * Florin Andrei <florin@andrei.myip.org> [2007-10-09 19:34]:
>>>> then, an i386 kernel should perform considerably better than amd64 for 
>>>> firewalling/routing/...
>>> That is surprising. What is the reason?
>> we dunno really. it hasn't been benched in sometimesoit might not even be 
>> true nay more, but last time the difference was dramatic.
>
> Then I will do some tests with 4.2 on gigabit-capable hardware. If anything 
> noteworthy comes out, I'll post the results.
> Don't expect something too fancy, but I guess anything is better than 
> nothing.
>
>>> How much RAM can the i386 kernel use on an amd64 machine?
>> 4GB minus pci space
>
> Hmmm.
>
> Please correct me if I'm wrong:
> Let's say a firewall is connected to a pretty fast Internet pipe (in the 
> gigabit range). Let's say there's a DDoS against this environment. In 
> theory, the firewall would need lots of RAM so that it can deal with the 
> incoming nasty packets, create an entry for each packet in the state table 
> (don't know the correct name for it in OpenBSD, sorry), then expire it 
> after a while.
> In theory, the firewall could be tweaked to expire unused states quickly, 
> but still, more RAM is better when dealing with a DDoS.

nope.
the kernel will not ever use more than 1 GB (or were it 768MB? memory 
fuzzy).
more than 1 GB of memory on a firewall even hurts.ok, not much. but a 
bit.

quoted text
> What's still not clear to me is how much RAM I should provision per 1Gb of 
> bandwidth on OpenBSD, assuming there's an incoming worst-case-scenario 
> DDoS, that consumes RAM (and other resources) on the firewall yet leaves 
> some bandwidth open for legitimate traffic (so the firewall must be able to 
> continue to let the good traffic pass through). Also assuming some tweaking 
> has been done on the firewall to expire the bad stuff quickly without 
> affecting legitimate traffic.

RAM is not your concern on a firewall.

quoted text
>>> If the SMP kernel does not actually hurt performance, I might have to use 
>>> it.
>> it does. seriously. locking is not free.
>
> Aw, damn. I was hoping that's not quite the case.
>
> Well, then hopefully the dynamic routing daemons won't get too greedy and 
> DoS the firewall from within. :-)

no, they won't.
they only get the cpu cycles not required for packet forwarding (well, 
interrupts + softint handling really) anyway.

quoted text
> Or I may have to re-think the whole 
> environment and forget the idea of doing any kind of dynamic routing on the 
> firewall - from a security perspective, dynamic routing on the firewall 
> sucks anyway.

no, not really, not if done right.

-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam