Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   ICMP handling in Linux (http://www.linux-archive.org/debian-user/654595-icmp-handling-linux.html)

Martin T 04-10-2012 04:07 PM

ICMP handling in Linux
 
It's a well known fact that even most(with exceptions like ASR1K) of
the high-end Cisco or Juniper routers handle ICMP traffic in routing
engines not in ASIC's which means that they share the CPU time with
other processes. How prioritized is ICMP handling in modern Linux 2.6
and newer kernels? Is it possible to prioritize ICMP handling in
kernel?


regards,
martin


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAJx5YvG0RSUYi-WaLzVC2ZpEZK7+5XzB7qNRaDesYxBt6ze6gw@mail.gmail.co m">http://lists.debian.org/CAJx5YvG0RSUYi-WaLzVC2ZpEZK7+5XzB7qNRaDesYxBt6ze6gw@mail.gmail.co m

Henrique de Moraes Holschuh 04-11-2012 12:10 AM

ICMP handling in Linux
 
On Tue, 10 Apr 2012, Martin T wrote:
> It's a well known fact that even most(with exceptions like ASR1K) of
> the high-end Cisco or Juniper routers handle ICMP traffic in routing
> engines not in ASIC's which means that they share the CPU time with
> other processes. How prioritized is ICMP handling in modern Linux 2.6
> and newer kernels? Is it possible to prioritize ICMP handling in
> kernel?

AFAIK, it has the same priority of every other packet that makes it to the
IP stack.

Easy depriorizing is possible by outright dropping incoming ICMP packets
in the iptables layer, before it is processed by the IP stack.

I suppose advanced NICs might be able to use receiver-side flow-steering to
priorize or depriorize ICMP packets before delivering them to the driver, or
you could steer them all to a particular core.

I fear you will probably need to ask this question in the netdev ML if
you want a better answer.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120411001020.GB7792@khazad-dum.debian.net">http://lists.debian.org/20120411001020.GB7792@khazad-dum.debian.net

"John A. Sullivan III" 04-11-2012 12:16 AM

ICMP handling in Linux
 
On Tue, 2012-04-10 at 21:10 -0300, Henrique de Moraes Holschuh wrote:
> On Tue, 10 Apr 2012, Martin T wrote:
> > It's a well known fact that even most(with exceptions like ASR1K) of
> > the high-end Cisco or Juniper routers handle ICMP traffic in routing
> > engines not in ASIC's which means that they share the CPU time with
> > other processes. How prioritized is ICMP handling in modern Linux 2.6
> > and newer kernels? Is it possible to prioritize ICMP handling in
> > kernel?
>
> AFAIK, it has the same priority of every other packet that makes it to the
> IP stack.
>
> Easy depriorizing is possible by outright dropping incoming ICMP packets
> in the iptables layer, before it is processed by the IP stack.
>
> I suppose advanced NICs might be able to use receiver-side flow-steering to
> priorize or depriorize ICMP packets before delivering them to the driver, or
> you could steer them all to a particular core.
>
> I fear you will probably need to ask this question in the netdev ML if
> you want a better answer.
>
Setting up a qdisc via the tc utility would be a more controlled way
than simply drop or not drop. Alas, it is not one of the simpler things
to do in Linux - John


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1334103390.2012.32.camel@denise.theartistscloset.c om">http://lists.debian.org/1334103390.2012.32.camel@denise.theartistscloset.c om

Scott Ferguson 04-11-2012 12:21 AM

ICMP handling in Linux
 
On 11/04/12 02:07, Martin T wrote:
> It's a well known fact that even most(with exceptions like ASR1K) of
> the high-end Cisco or Juniper routers handle ICMP traffic in routing
> engines not in ASIC's

Debian is software - so I can be relied on to never use ASICs ;-p

<snipped>

> How prioritized is ICMP handling in modern Linux 2.6
> and newer kernels?

ICMP has the same priority as other protocols (by default).

> Is it possible to prioritize ICMP handling in
> kernel?

Sure - assign a lower priority policy to other protocols.

>
>
> regards,
> martin
>
>

If you want more detailed answer to specific situations debian-firewall
"might" be a better list to ask.

Note that Debian also provides a kfreeBSD kernel and HURD servers.


Kind regards


--
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F84CE87.3040009@gmail.com">http://lists.debian.org/4F84CE87.3040009@gmail.com

Henrique de Moraes Holschuh 04-11-2012 12:42 AM

ICMP handling in Linux
 
On Tue, 10 Apr 2012, John A. Sullivan III wrote:
> On Tue, 2012-04-10 at 21:10 -0300, Henrique de Moraes Holschuh wrote:
> > On Tue, 10 Apr 2012, Martin T wrote:
> > > It's a well known fact that even most(with exceptions like ASR1K) of
> > > the high-end Cisco or Juniper routers handle ICMP traffic in routing
> > > engines not in ASIC's which means that they share the CPU time with
> > > other processes. How prioritized is ICMP handling in modern Linux 2.6
> > > and newer kernels? Is it possible to prioritize ICMP handling in
> > > kernel?
> >
> > AFAIK, it has the same priority of every other packet that makes it to the
> > IP stack.
> >
> > Easy depriorizing is possible by outright dropping incoming ICMP packets
> > in the iptables layer, before it is processed by the IP stack.
> >
> > I suppose advanced NICs might be able to use receiver-side flow-steering to
> > priorize or depriorize ICMP packets before delivering them to the driver, or
> > you could steer them all to a particular core.
> >
> > I fear you will probably need to ask this question in the netdev ML if
> > you want a better answer.
> >
> Setting up a qdisc via the tc utility would be a more controlled way
> than simply drop or not drop. Alas, it is not one of the simpler things
> to do in Linux - John

I suppose so, but that would require the use of ifb devices. That is likely
more expensive than handling the ICMP in the first place (with kernel ICMP
reply rate-limiters configured, obviously), so it might not work as well as
one would like it to.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120411004249.GD7792@khazad-dum.debian.net">http://lists.debian.org/20120411004249.GD7792@khazad-dum.debian.net

"John A. Sullivan III" 04-11-2012 01:41 AM

ICMP handling in Linux
 
On Tue, 2012-04-10 at 21:42 -0300, Henrique de Moraes Holschuh wrote:
> On Tue, 10 Apr 2012, John A. Sullivan III wrote:
> > On Tue, 2012-04-10 at 21:10 -0300, Henrique de Moraes Holschuh wrote:
> > > On Tue, 10 Apr 2012, Martin T wrote:
> > > > It's a well known fact that even most(with exceptions like ASR1K) of
> > > > the high-end Cisco or Juniper routers handle ICMP traffic in routing
> > > > engines not in ASIC's which means that they share the CPU time with
> > > > other processes. How prioritized is ICMP handling in modern Linux 2.6
> > > > and newer kernels? Is it possible to prioritize ICMP handling in
> > > > kernel?
> > >
> > > AFAIK, it has the same priority of every other packet that makes it to the
> > > IP stack.
> > >
> > > Easy depriorizing is possible by outright dropping incoming ICMP packets
> > > in the iptables layer, before it is processed by the IP stack.
> > >
> > > I suppose advanced NICs might be able to use receiver-side flow-steering to
> > > priorize or depriorize ICMP packets before delivering them to the driver, or
> > > you could steer them all to a particular core.
> > >
> > > I fear you will probably need to ask this question in the netdev ML if
> > > you want a better answer.
> > >
> > Setting up a qdisc via the tc utility would be a more controlled way
> > than simply drop or not drop. Alas, it is not one of the simpler things
> > to do in Linux - John
>
> I suppose so, but that would require the use of ifb devices. That is likely
> more expensive than handling the ICMP in the first place (with kernel ICMP
> reply rate-limiters configured, obviously), so it might not work as well as
> one would like it to.
<snip>
I did not read the original post but I'm not sure why it would require
IFB interfaces. I have found I only use them if I need to shape rather
than police ingress traffic or if I need to do identical traffic shaping
on multiple interfaces. Then again, I have not experience configuring
kernel ICMP reply rate limiters - John


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1334108474.2012.34.camel@denise.theartistscloset.c om">http://lists.debian.org/1334108474.2012.34.camel@denise.theartistscloset.c om

Pascal Hambourg 04-14-2012 10:22 AM

ICMP handling in Linux
 
Hello,

Henrique de Moraes Holschuh a écrit :
>
> Easy depriorizing is possible by outright dropping incoming ICMP packets
> in the iptables layer, before it is processed by the IP stack.

iptables is not before the IP stack, it is a part of it.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F894FDD.6010706@plouf.fr.eu.org">http://lists.debian.org/4F894FDD.6010706@plouf.fr.eu.org

Henrique de Moraes Holschuh 04-14-2012 10:42 AM

ICMP handling in Linux
 
On Sat, 14 Apr 2012, Pascal Hambourg wrote:
> Henrique de Moraes Holschuh a écrit :
> > Easy depriorizing is possible by outright dropping incoming ICMP packets
> > in the iptables layer, before it is processed by the IP stack.
>
> iptables is not before the IP stack, it is a part of it.

I suppose you're correct, since it is the IPv4-specific part of netfilter,
and it does hook into several places of the IP stack, and it knows IPv4.

I should probably have written it as "drop it in the RAW table, which
happens very early in the packet's processing by the IP stack."

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120414104211.GA22597@khazad-dum.debian.net">http://lists.debian.org/20120414104211.GA22597@khazad-dum.debian.net


All times are GMT. The time now is 06:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.