|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Who does source address validation? (was Re: what's that smell?)
On Tue, 8 Oct 2002, John M. Brown wrote: > Simulation models I've been running show that an average of 12 to 18 percent > of a providers traffic would disappear if they filtered RFC-1918 sourced > packets. The percentage ranges scale with the size of the provider. > Smaller providers, less impact, larger providers more impact. > > In addition to the bandwidth savings, there is also a support cost > reduction and together, I believe backbone providers can see this > on the bottom line of their balance sheets. Testing a couple of years ago on a widely used router vendor's implementation of uRPF showed in certain pathalogical cases a 50% throughput hit when uRPF was turned on. Even a single line access list permit ip any any had a throughput hit on certain platforms. http://www.nc-itec.org/archive/URPF/Unicast%20RPF%20Test%20Results%20Summary%20-%20performance%20assessment%20v0.2.pdf Whether this is still true, the legend lives on. A 20% throughput hit won't be offset by a 12 to 18 percent bandwidth savings. Especially on heavily loaded circuits. Some network engineers are reluctant to do any type of packet filtering (uRPF or ACL based) because of the belief it will hurt performance (latency, throughput, etc). While I think its a good idea, and generally do it on any network I design from scratch; so far you really haven't given me much ammo to convince people to change what is already working for them. Going back to the IBM/Ahmdal mainframe days, the traditional requirement to get people to change was it needed to be 30% cheaper or 30% better. Anything less, and it was usually wasn't worth the effort of making the change, especially if the current system didn't have a visible problem.
|