[Bro] Software frontend

Sunjeet Singh sstattla at gmail.com
Fri Dec 10 12:37:55 PST 2010

On 10-12-10 12:17 PM, Seth Hall wrote:
> On Dec 10, 2010, at 2:57 PM, Sunjeet Singh wrote:
>> One can imagine a more optimal setting where event-analysis can be done locally and only the batched events are sent to the event-handler stage that runs on the cloud.
> This is likely to just cause more overhead than it's worth.
>> A cloud provider can have a Bro Instance
> I can imagine doing this.  I may look into it at some point too.
>    .Seth

Well, if people are going to be looking at this space, I'd quickly like 
to summarize the information the I partly gained from this forum or 
otherwise learnt from the challenges that I ran into-

The Frontend Load Balancer remains the bottleneck-
In a cloud setting, frontend remains the non-scalable part of the 
existing cluster architecture. With the option of hardware lond 
balancing gone in the Cloud, software load-balancing will have to incur 
some overhead. You can't modify only MAC address (the packet will get 
dropped before reaching Worker) and you can't modify both MAC and IP 
(you need the original IPs (duh)). You need to either encapsulate the 
packet yourself (user-level or kernel-level but still processing 
overhead and requires de-capsulation code at the receiver side) or 
configure a cluster Virtual Private Cloud and subnet in which case the 
Cloud is doing the encapsulation for you. How well does this scale?

More information about the Bro mailing list