On Wed, 16 Jun 1999, Labranche S. 1Lt - 43CS/SCBB wrote:
> I was recently informed by my Sidewinder administrator that we cannot
> prioritize traffice (QoS) through the firewall. This seems odd to me. We
It's not very odd. Most IP-based non-routing devices don't support QoS yet,
given that it's a packet-based network and the packet has to get into the
stack's buffer before the stack can figure out what the packet is, it's
not an ideal solution for traditional IP stacks without complicating the
stack with a bunch of new buffers and complicated weighted round-robin
buffer reading code. Eventually, if the IP stacks support it then it'll
be a solved problem. Unless Sidewinder has changed a great deal since I
last looked at it, the stack it is sitting on is pretty normal.
> have a requirement that certain ports have priority over others. Any
> comments/suggestions?
Unless it's on a private network it's probably a silly goal anyway (and
might yet be if the end nodes are saturated and don't apply it
themselves.) If it's a private network, then do QoS before and after the
firewall on the screening routers you should have on either side of the
Sidewinder anyway. I'm not sure that QoS works (a) well or (b) with any
measure of stability on the routers I use, you'll want to check yours
with the vendor and reference users using the feature at the same code
level.
As an aside, given the fact that there's no out-of-band signaling method for
IP networks, QoS could introduce more interesting ways of attacking service on
the network in some circumstances, depending on the implementation, the
network topology, and the ammount of prioritization configured for
services. If I generate enough spoofed packets for whatever port you
consider the highest priority, what happens to all of your real traffic
at every other priority? While flooding in a non-QoS world gives most of
the same DoS attack possibilities, it isn't as subtle and interface usage
will turn it up pretty quickly. QoS reporting adds another layer to the mix,
as well as probably requiring SNMP on the routers- something I'm leary of
unless it's done out-of-band, and could introduce a subtle vector that's
difficult to spot. It also could mean the difference between being able
to slow a particular stream prior to a hijack or spoof attack and not.
This may or may not be an issue for you, but you'll want to look into the
possibility prior to fielding it if you haven't already done a risk
assessment.
QoS outside of a private network seems mostly silly to me- give that the
traffic loses that value right after it leaves your border. I'm sure others
will have different opinions.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
