Re: [High Speed Firewalls]

[Paul Boyer <paul.boyer () paulboyer org>]

Hi Darren,

I understand 1000Mb/s is HIGH traffic compared to what can be done
right now.
No general purpose computer can today cope with such a big load.

Nevertheless, Linux as a simple router is doing pretty well between 2
1000 base T cards in "lab" tests. 
I know this relies heavily on the NIC doing part of the job, and other
specific optimization.
But with the speed fight underway, stated that we can already do
better than 100 with regular hardware, and we can already support
1000-enabled cards, it would surprise me a lot that going to 1000
could take more than a few months.

Note that this is only a kind of "compared to the kind of progress I'm
used to see, I have the feeling that it could happen..." opinion and
not a "if you add this feature to this driver, put N processors of
this brand with this compilation option it will do the job" statement.

Fortunately enough, within a few month, we'll get the second answer...
the only real one.
But when we'll have that answer, it won't be "a few month" before, it
will be the day we can do it.

Paul

Darren Reed wrote:
> In some email I received from Paul Boyer, sie wrote:
> [...]
> > Note that Linux on a single high end PC can do more than a PIX for a
> > small part of the price.
> > Linux now supports 1000bT cards pretty well, so you can expect a full
> > featured Gb/s firewall on Linux within a few months, for less than the
> > price of the switch you'll plug it in !
> >
> > My company sells right now firewall boxes on linux that can handle 150
> > Mb/s throughput (cumulated on all interfaces).
> [...]
>
> So how do you plan to get 1000Mb/s through it ?
>
> There's a *big* difference in the way things like the Alteon, etc, are
> designed, when compared to a PC.  Having a 1GHz P-III or Althon won't
> necessarily help either.
>
> 1GB/s is seriously hard to send/receieve at for any general purpose
> hardware such as a PC or Unix server/workstation.
>
> Darren