[Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
Nelson, Cooper
cnelson at ucsd.edu
Thu May 30 15:43:08 UTC 2019
If anyone knows how to do this on a ixgbe system, please let me know. I'm eager and ready to test. As mentioned, I think something simple we could try would be to try doing this in software via new software load-balancer.
Btw, in the interest of full disclosure, its been pointed out to me that I didn't really understand how the internet actually works. Years of looking at wireshark led me to think that TCP packets were larger than they were on the wire, because I was looking at what was reassembled by the kernel. So TCP window scaling isn't the culprit, though I'm of the opinion it might trigger the observed effect in some cases.
So, the point is, any number of things can cause a single TCP packet within an existing flow to become fragmented, which will then result in the second fragment ending up on a different RSS queue (due to it lacking a TCP header).
Based on what I'm seeing on our sensor this happens all the time on a busy "ISP" style network, so I'm sure it's common everywhere.
Here's a good blog post discussing how complex this issue is ...
https://blog.cloudflare.com/ip-fragmentation-is-broken/
-Coop
-----Original Message-----
From: Peter Manev <petermanev at gmail.com>
Sent: Wednesday, May 29, 2019 2:00 PM
To: Michał Purzyński <michalpurzynski1 at gmail.com>
Cc: Nelson, Cooper <cnelson at ucsd.edu>; Cloherty, Sean E <scloherty at mitre.org>; Eric Urban <eurban at umn.edu>; Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
On Wed, May 29, 2019 at 9:52 PM Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
>
> How about ignoring layers above 3 and just going with ip src + ip dst? I'm pretty sure I can do that on i40e.
>
Lets give it a spin ? :)
Maybe do runs with/without taking into consideration of vlanids?
(just to see if related)
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list