Blocking TCP flows?
Christopher Morrow
morrowc.lists at gmail.com
Thu Jun 13 20:52:53 UTC 2013
On Thu, Jun 13, 2013 at 4:47 PM, Phil Fagan <philfagan at gmail.com> wrote:
> I didn't think the bus up to the FGPA was very beefy...wouldn't you need to
> send flows up there off the data-plane for inspection?
>
not sure, but their docs talk about using the fpga for doing HFT... so
I presume it's got the abiliity to see all traffic on at least on
interface, eh?
(I believe the fpga is really connected to the bus as a 10g link...
but I haven't tried this I've only read their docs)
> On Thu, Jun 13, 2013 at 2:03 PM, Christopher Morrow
> <morrowc.lists at gmail.com> wrote:
>>
>> On Thu, Jun 13, 2013 at 3:32 PM, Eric Wustrow <ewust at umich.edu> wrote:
>> > Hi all,
>> >
>> > I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10
>> > gbps
>> > link, with new blocked flows being dropped within a millisecond or so of
>> > being
>> > added. I've been looking into using OpenFlow on an HP Procurve, but I
>> > don't
>> > know much in this area, so I'm looking for better alternatives.
>> >
>>
>> this sounds like a job for the arista box with the FGPA onboard, no?
>>
>>
>> > Ideally, such a device would add minimal latency (many/expandable CAM
>> > entries?), can handle many programatically added flows (hundreds per
>> > second),
>> > and would be deployable in a production network (fails in bypass mode).
>> > Are
>> > there any
>> > COTS devices I should be looking at? Or is the market for this all under
>> > the table to
>> > pro-censorship governments?
>> >
>> > Thanks,
>> >
>> > -Eric
>>
>
>
>
> --
> Phil Fagan
> Denver, CO
> 970-480-7618
More information about the NANOG
mailing list