Date: Wed, 2 Jul 2003 14:38:38 -0400 From: Barney Wolff <barney@databus.com> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL Message-ID: <20030702183838.GB4179@pit.databus.com> In-Reply-To: <3F0316DE.3040301@tenebras.com> References: <3F0316DE.3040301@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 02, 2003 at 10:31:10AM -0700, Michael Sierchio wrote: > > Currently, performance w/divert sockets and natd in ipfirewall > on a compute-bound platform (ELAN-133MHz) shows ipfw+natd throughput > to be 50% of that offered by ipfilter+ipnat. > > Is there anything that can be done to speed up either the > performance of divert and natd? Alternatively, could network > address translation be merged into ipfirewall? > > As we move from 1000BASE-TX to 10000BASE-TX, this will become > more of an issue, even on 3GHz machines. > > Comments? Suggestions? Vision? NAT is not a security feature, and should be used only where it is actually necessary to translate addresses, and as far towards the edge as possible. If you believe you need to NAT at even 1Gb, I'd look very hard at the requirements. The performance hit on crossing the kernel-userspace boundary for natd is inherent, apart from any code optimization that might be possible. But moving NAT into the kernel has great impact on kernel memory usage, which needs much more care than in user space. NATs can be DoS'd, and running out of kernel memory can be fatal. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030702183838.GB4179>