High-speed filtering boxes (Was: Re: SYN floods...)

In reply to your message of Thu, 19 Sep 1996 15:22:35 EDT:

I am sure a question most of us has is, what kind of latency does your
filtering box add? Doing something at line rate is fine, but latency is
rather important at line speed.

Very low, on the order of tens of microseconds, if I remember correctly (the
code itself is very small, only a couple hundred K). The PIX operates by
switching on flows rather than routing, so latency is comparable to a switch.
However, a word on latency since this urban myth seems to keep creeping back:

While a device with large latency, on the order hundreds of milliseconds
or even seconds, would obviously contribute some detriment to the data
path, ultimately the largest latency lies in the transmission media and
the processing overhead on the end stations, and not the network nodes
themselves. This is an old issue that goes 'way back, and it just won't seem
to die. I never like trying to address the issue of latency in a network
device, because invariably it isn't the real contributor to latency on a

In fact, many of the unwashed in the end user community confuse
latency with response time, and they are not the same nor are they necessarily
related. Seconds-long response times due to congestion do not mean that
forwarding latency is at issue in any network devices, just like a traffic
jam at a major turnpike does not mean that the speed limits have been reduced
or the road surface degraded to where travel beyond a moderate speed is
impossible. There is just simply more traffic than the device can handle,
and things are going to back up-- but the packets are still being forwarded
through the device at the same rate.

Back to the PIX, since it filters and forwards at line rate, packets go out
as fast as they come in, eliminating the issue of congestion. And I've already
touched on the estimated latency for completeness.

Hope this helps,

                          Paul "Corwin" Frommeyer
        Work Internet Engineer, CCIE Play
ISP Systems Engineer Network Sorcerer At Large
Cisco Systems, Inc. Paul's Fone Company
pfrommey@cisco.com corwin@palas.com
      *** Speaking solely for myself unless otherwise noted ***