After next Monday's oral presentation I'll have only one pesky "little" exam left ;)
The document is titled, "Supporting Fine-Grain Parallelism on Commodity General-Purpose Multicore Hardware," and will wrap up my research on using multicore processor (e.g., Intel quad-core Xeon processors) based systems as network processors (e.g., Intel IXP series).
The two key technologies so far are FastForward and the Frame Shared Memory architecture (FShm). FastForward is a cache-optimized core-to-core software communication mechanism (concurrent lock-free data structure for those that care) that decreases the observable latency by an order of magnitude (10x) over the previous gold standard described by Leslie Lamport in 1983. FShm is an organization that allows safe sharing of buffers between processes and network interfaces. The two have been used to demonstrate true line-rate bridging of 4 Gigabit Ethernet links without dropping a single frame. (In the context of networking a frame represents the link layer message while a packet usually refers to the application message) One of the goals of the proposal is to increase the performance to support a single 10 Gigabit Ethernet stream where frames can be arriving at a rate of one every 67 nanoseconds.
Note! this is very different from a device claiming to support 10 gigabits per second aggregate over many ports that also allows the system to randomly drop frames to achieve this level of performance.
Why is this distinction important? There are two scenarios.
1) Raw firewall performance. If a firewall drops any link-layer frame of a large Internet Protocol (IP) packet, the entire packet needs to be retransmitted. If you are using a cheap wireless router at home I'm sure you've seen this problem in action; a transmission runs at quickly and then suddenly chokes and hangs. What is happening is the system defaults to a back-off mode to help relieve network congestion - usually why frames are lost - when there really is none.
2) Consider an attacker who wishes to remaining anonymous as best as possible. If the attacker knows that the intrusion detection/prevention system cannot sustain line-rate performance on a single link could initiate a Denial-of-Service attack whose entire purpose was to probabilistically hide the attackers true malicious network packets. If the security system misses some or all of the attack frames it may be impossible to prevent the attack from completing or perform forensic analysis on the data.
Therefore before you buy your next network appliance consider what your needs really are and ask your vender what they mean by there performance ratings.
No comments:
Post a Comment