From owner-freebsd-net@FreeBSD.ORG Thu Nov 13 04:56:16 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB88516A4CE for ; Thu, 13 Nov 2003 04:56:16 -0800 (PST) Received: from paf.se (argc.paf.se [195.66.31.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1428143F75 for ; Thu, 13 Nov 2003 04:56:15 -0800 (PST) (envelope-from anders@lowinger.se) Received: by paf.se (CommuniGate Pro PIPE 4.1) with PIPE id 1232099; Thu, 13 Nov 2003 13:57:28 +0100 Received: from [62.119.74.3] (account anders@lowinger.se HELO lowinger.se) by paf.se (CommuniGate Pro SMTP 4.1) with ESMTP id 1232097; Thu, 13 Nov 2003 13:56:41 +0100 Message-ID: <3FB37F09.4050908@lowinger.se> Date: Thu, 13 Nov 2003 13:54:33 +0100 From: Anders Lowinger User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031110 Thunderbird/0.4a X-Accept-Language: en-us, en MIME-Version: 1.0 To: Haesu References: <20031112024507.89398.qmail@web10007.mail.yahoo.com> <3FB20D2B.73624906@pipeline.ch> <20031112195529.GA48020@scylla.towardex.com> In-Reply-To: <20031112195529.GA48020@scylla.towardex.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-6.0 required=5.0 tests=BAYES_10,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MOZILLA_UA autolearn=ham version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-net@freebsd.org Subject: Re: tcp hostcache and ip fastforward for review X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 12:56:17 -0000 Haesu wrote: > I agree in that flow cache is bad and it should not be used. Everything is not black or white. A flow cache can accelerate for example Access Control Lists and/or firewalling, since only the first packet needs to be verified. Cisco just added ACL bypass for firewall, which is a similar feature. http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d33da.html > It only takes x num. of kpps with diverse destinations to knock off a router running flow based caching. Yep, that is true and its hard to work around. > Extreme switches use flow based caching (called ipfdb) and any DoS attack that uses > diverse destinations will kill it pretty quickly.. Cisco's newer stuff does the flow-cache independent of the forwarding, i.e. the flow is more of an accounting cache. --Anders, not affiliated with Cisco