From owner-svn-src-all@FreeBSD.ORG Mon Apr 20 07:01:28 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43CAA106564A; Mon, 20 Apr 2009 07:01:28 +0000 (UTC) (envelope-from mat.macy@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 853D98FC1E; Mon, 20 Apr 2009 07:01:27 +0000 (UTC) (envelope-from mat.macy@gmail.com) Received: by yw-out-2324.google.com with SMTP id 5so1108916ywh.13 for ; Mon, 20 Apr 2009 00:01:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=aewVQAM0LquYmHlHWO5I+ZuxJb55WdzVjV0TMWQiLMg=; b=FTgqgqroG+boI3JtTLJUsunH03tH4rHZYTctxxVGYsRTIsoaZnloGhYEyM0PJlqqI9 HJaP6k++C1VLkiweVk768ZU/uty7KZNUi/dFhXhqLTr0+z91p2DxKnld/cKLMSZbKz3g LTIlApPasdzYsZQm9V4Uc4Fv/zojcLdq44mus= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=G/kngduQncktqyPx4jg7Ypvj3x7T2jPhaV4o4RBFuGJUQyaDfXJHP9925TP5MS7U9j XyMK0+7Dx79orIcHVWSwKSOVoR0wkflNu78BgtlIqLv6HJuWBkkO5MojyJh2nDDi+UqA 8tttaPp7yX1CgpVRU1d6OTNqmZkxKAlpM/4sU= MIME-Version: 1.0 Sender: mat.macy@gmail.com Received: by 10.100.46.10 with SMTP id t10mr7403058ant.116.1240210886143; Mon, 20 Apr 2009 00:01:26 -0700 (PDT) In-Reply-To: <200904200844.12344.zec@freebsd.org> References: <200904190444.n3J4i5wF098362@svn.freebsd.org> <200904192221.55744.zec@freebsd.org> <3c1674c90904191405v56298134g286ea31ee4680769@mail.gmail.com> <200904200844.12344.zec@freebsd.org> Date: Mon, 20 Apr 2009 00:01:25 -0700 X-Google-Sender-Auth: e4fd2d51700c3e25 Message-ID: <3c1674c90904200001s1d03c7d8udcd2dd4cf99984fd@mail.gmail.com> From: Kip Macy To: Marko Zec Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: svn-src-head@freebsd.org, Robert Watson , svn-src-all@freebsd.org, src-committers@freebsd.org, Andre Oppermann Subject: Re: svn commit: r191259 - head/sys/netinet X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Apr 2009 07:01:28 -0000 > ... which means you fall back to the ordinary routing lookups, but only after > you have wasted cycles to compute a hash and found out that it doesn't match > anything in your cache -> in this case I would expect only a degradation in > performance, not an improvement. If your normal operating conditions are DDOS then you have more serious problems. I said that the system would not collapse as you were in fact claiming, not that it would perform optimally. > >> So the added overhead is simply the >> extra cache misses up to the collision depth for the bucket. Are you >> two familiar with CAMs? > > Not really, but I've heared of anecdotes that Ciscos that were capped at 256K > FIB entries in CAM had to fall back to lookups in software once the size of > DFZ table exceeded the 256K figure - so everybody rushed to get rid > of^H^H^H^H upgrade such hardware around 1.5 years ago in anticipation of DFZ > table bloom. If your memory is too small for your routing table you will have a problem. If your flow table is too small you will have a problem. However, on modern hardware, when running FreeBSD, unless every packet you are seeing is coming from a different source you'll be rate limited by the number of kpps your system can handle long before you run out of space to store a collision free flow table. > > But it seems to me that CAM lookups are pretty resilient against DoSing by > throwing malicious synthetic flows on them, whereas flow caches will melt > down easily. Actually a CAM is a hardware implementation of a hash table. It has the same limitations. To claim that routers don't use flow tables because they are handled in hardware is a very strange thing to say. -Kip