Date: Thu, 13 Nov 2003 13:54:33 +0100 From: Anders Lowinger <anders@lowinger.se> To: Haesu <haesu@towardex.com> Cc: freebsd-net@freebsd.org Subject: Re: tcp hostcache and ip fastforward for review Message-ID: <3FB37F09.4050908@lowinger.se> In-Reply-To: <20031112195529.GA48020@scylla.towardex.com> References: <20031112024507.89398.qmail@web10007.mail.yahoo.com> <3FB20D2B.73624906@pipeline.ch> <20031112195529.GA48020@scylla.towardex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Haesu wrote: > I agree in that flow cache is bad and it should not be used. Everything is not black or white. A flow cache can accelerate for example Access Control Lists and/or firewalling, since only the first packet needs to be verified. Cisco just added ACL bypass for firewall, which is a similar feature. http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d33da.html > It only takes x num. of kpps with diverse destinations to knock off a router running flow based caching. Yep, that is true and its hard to work around. > Extreme switches use flow based caching (called ipfdb) and any DoS attack that uses > diverse destinations will kill it pretty quickly.. Cisco's newer stuff does the flow-cache independent of the forwarding, i.e. the flow is more of an accounting cache. --Anders, not affiliated with Cisco
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FB37F09.4050908>