From owner-svn-src-all@FreeBSD.ORG Mon Apr 20 06:44:35 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09479106566C; Mon, 20 Apr 2009 06:44:35 +0000 (UTC) (envelope-from zec@freebsd.org) Received: from labs4.cc.fer.hr (labs4.cc.fer.hr [161.53.72.24]) by mx1.freebsd.org (Postfix) with ESMTP id 9CEE98FC08; Mon, 20 Apr 2009 06:44:34 +0000 (UTC) (envelope-from zec@freebsd.org) Received: from sluga.fer.hr (sluga.cc.fer.hr [161.53.72.14]) by labs4.cc.fer.hr (8.14.2/8.14.2) with ESMTP id n3K6iiEV025440; Mon, 20 Apr 2009 08:44:51 +0200 (CEST) Received: from [192.168.200.110] ([161.53.19.79]) by sluga.fer.hr over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 20 Apr 2009 08:44:21 +0200 From: Marko Zec To: Kip Macy Date: Mon, 20 Apr 2009 08:44:11 +0200 User-Agent: KMail/1.9.10 References: <200904190444.n3J4i5wF098362@svn.freebsd.org> <200904192221.55744.zec@freebsd.org> <3c1674c90904191405v56298134g286ea31ee4680769@mail.gmail.com> In-Reply-To: <3c1674c90904191405v56298134g286ea31ee4680769@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200904200844.12344.zec@freebsd.org> X-OriginalArrivalTime: 20 Apr 2009 06:44:21.0657 (UTC) FILETIME=[6FC11090:01C9C183] X-Scanned-By: MIMEDefang 2.64 on 161.53.72.24 Cc: svn-src-head@freebsd.org, Robert Watson , svn-src-all@freebsd.org, src-committers@freebsd.org, Andre Oppermann Subject: Re: svn commit: r191259 - head/sys/netinet X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Apr 2009 06:44:35 -0000 On Sunday 19 April 2009 23:05:55 Kip Macy wrote: > On Sun, Apr 19, 2009 at 1:21 PM, Marko Zec wrote: > > On Sunday 19 April 2009 19:13:37 Kip Macy wrote: > >> On Sun, Apr 19, 2009 at 3:18 AM, Andre Oppermann > >> wrote: > > > > ... > > > >> > I have another question on the flowtable: =A0What is the pupose of i= t? > >> > All router vendors have learned a long time ago that route caching > >> > (aka flow caching) doesn't work out on a router that carries the DFZ > >> > (default free zone, currently ~280k prefixes). =A0The overhead of > >> > managing the flow table and the high churn rate make it much more > >> > expensive than a direct and already very efficient radix trie lookup. > >> > Additionally a well connected DFZ router has some 1k prefix updates > >> > per second. =A0More information can be found for example at Cisco he= re: > >> > =A0http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_pa= per0 > >> >918 6a00800a62d9.shtml The same findings are also available from all > >> > other major router vendors like Juniper, Foundry, etc. > >> > > >> > Lets examine the situations: > >> > =A0a) internal router with only a few routes; The routing and ARP ta= ble > >> > =A0 =A0are small, lookups are very fast and everything is hot in the= CPU > >> > =A0 =A0caches anyway. > >> > =A0b) DFZ router with 280k routes; A small flow table has constant > >> > thrashing becoming negative overhead only. =A0A large flow table has= a > >> > high maintenance > >> > =A0 =A0overhead, higher lookup times and sill a significant amount of > >> > thrashing. The overhead of the flow table is equal or higher than a > >> > direct routing table lookup. > >> > Concluding that a flow table is never a win but a liability in any > >> > realistic setting. > >> > >> You're assuming that a Cisco- / Juniper-class workload is > >> representative of where FreeBSD is deployed. I agree that FreeBSD is > >> sub-optimal for large routing environments for a whole host of other > >> reasons. A better question is what are "typical" FreeBSD deployments, > >> and how well would it work there. The flowtable needs to be sized to > >> correspond to the number of flows, its utility rapidly diminishes as > >> the number of collisions per bucket increases. > > > > ... which makes a flow cache a perfect DoS target in any environment, be > > it a DFZ or enterprise router or an end host or whatever. > > Uhm, assuming that you don't put a limit on the number of flows > allocated - which I do. When you hit the zone limit for flows you > simply stop caching new flows. =2E.. which means you fall back to the ordinary routing lookups, but only a= fter=20 you have wasted cycles to compute a hash and found out that it doesn't matc= h=20 anything in your cache -> in this case I would expect only a degradation in= =20 performance, not an improvement. > So the added overhead is simply the=20 > extra cache misses up to the collision depth for the bucket. Are you > two familiar with CAMs? Not really, but I've heared of anecdotes that Ciscos that were capped at 25= 6K=20 =46IB entries in CAM had to fall back to lookups in software once the size = of=20 DFZ table exceeded the 256K figure - so everybody rushed to get rid=20 of^H^H^H^H upgrade such hardware around 1.5 years ago in anticipation of DF= Z=20 table bloom. =20 But it seems to me that CAM lookups are pretty resilient against DoSing by= =20 throwing malicious synthetic flows on them, whereas flow caches will melt=20 down easily. Marko