Jamal Hadi <hadi@xxxxxxxxxxxxxxxx> writes:
> Ok, this is interesting. I have never seen the flows per second
> used for simple L3 forwading. I have seen them being used for NAT or
Some vendors still sell flow-based routers, and you should be able to
get this numbers if the vendor doesn't try to scam you.
> Looking at the sprint traffic patterns, i think flows/sec is a
> meaningful metric.
It's important to look at this number when buying a router, but I
still think that stateless IP fowarding is the way to go even if you
haven't got specialized hardware (TCAM).
>> Most vendors have learnt that people want routers with comforting
>> worst-case behavior. However, you have to read carefully, e.g. a
>> Catalyst 6500 with Supervisor Engine 1 (instead of 2) can only create
>> 650,000 flows per second, even if it has a much, much higher peak IP
>> forwarding rate.
> So 2Mpps of 650Kflows/sec ?
Exactly. (You can use a different Supervisor Engine and get stateless
IP switching at 2 Mpps, at least according to the data sheets.)
> We should be able to punish specific misbehaving flows.
This is quite difficult because misbehaving flows often consist of a
single packet. Managing state for such flows is a waste, but you
hardly can now this when you have to decide whether you want to create
a new flow or not.
If you want to punish per-interface flows, forget it. Most routers
are not sufficiently multi-homed to make a difference, and attacks
often hit routers on multiple interfaces.
> Do you know if any routers are implementing proper DOS tracebacks to
> allow for inserting drop filters?
You mean IP Pushback? I haven't seen it on production routers, and
I'm pretty sure that no one uses it yet.
Flow-based traffic monitoring is available on most routers nowadays
(often sampled, though), even on routers that perform stateless IP
Anyway, just dropping packets locally doesn't help you *that* much,
you need cooperation of your upstream (and automated cooperation à la
IP Pushback is still far, far away, I presume).