[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

RE: Sampled Traffic Analysis by Internet-Exchange-Level Adversaries

That's clearly an erroneous statement. There was an off the shelf Windows based 10 Gigabit capture and realtime packet inspection device available in 2004 - the NAI 'Sniffer Portable Lab 10 Gigabit Ethernet Analyser' system and a wider selection is available today, e.g. Wildpackets Omnipliance.
Windows can now process traffic at multigigabit traffic rates fairly easily due to its extensive and standardized TOE (TCP Offload Engine) support with a large and growing selection of compatable high end hardware.
To use TOE hardware in for instance, Linux, you have to hack the kernel to support the capabilities of your particular network card. Of course as with many things in Linux it's a bolt on afterthought so doing so cuts out features like netfilter, traffic control, packet scheduling, QoS, performance monitoring and more. Not to mention that TOE technology is patented so Linux will probably never have full enterprise multigigabit TOE adaptor support out of the box. 
To deep inspect the packets once captured is just a CPU intensive task. Windows is often is the best solution for these types of task due to the advantages of Windows advanced kernel memory management, features and scheduler. (See the several interesting presentations by Mark Russinovich on the subject).
I cant comment on the capabilities of Solaris mentioned previously or others such as BSD as I havnt seen any paper or stats on the subject. However I know that Sun have been working with 10 Gigabit Ethernet for years as an alternative to Infiniband so I would expect Solaris' capabilities to be significantly better than Linux.
As a technical background, the major networking scalability limitation in Windows 2003 / XP was the NDIS 5.1 design limit of 1 CPU per network interface. As the below example is running 14Gbits throughput with 15% CPU utilisation on 2 year old hardware it isnt that much of a limitation.
The NDIS 5.2 stack that is included in the free Windows 2003 Scalable Networking Pack ups that limit to 1 CPU per TCP connection. 
With the Next Generation TCPIP stack and TCP Chimney included in Vista (already out) and Windows 2008 (due out in a few months) the bar goes even higher. See http://www.microsoft.com/winme/0705/30024/Russinovich_WinHec_MBR.asx and http://www.microsoft.com/technet/network/tcpip/default.mspx


From: owner-or-talk@xxxxxxxxxxxxx on behalf of Eugen Leitl
Sent: Wed 30/05/2007 13:57
To: or-talk@xxxxxxxxxxxxx
Subject: Re: Sampled Traffic Analysis by Internet-Exchange-Level Adversaries

On Tue, May 29, 2007 at 01:36:03PM +0100, Tony wrote:

> Windows has offered over 10 Gigabit throughput on a workstation (running Windows Server 2003) since 2005...
> http://www.amd.com/us-en/assets/content_type/DownloadableAssets/AMD_10_GbE_Performance_Paper_August05.pdf

Totally different operation regime. Filling up the pipe is one thing, deep-inspecting
every packet something else entirely. Windows can't even handle the realtime requirements.

Eugen* Leitl <a href="http://leitl.org <http://leitl.org/> ">leitl</a> http://leitl.org <http://leitl.org/> 
ICBM: 48.07100, 11.36820 http://www.ativel.com <http://www.ativel.com/>  http://postbiota.org <http://postbiota.org/> 
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE