tcp hostcache and ip fastforward for review
Anders Lowinger
anders at lowinger.se
Thu Nov 13 04:56:17 PST 2003
Haesu wrote:
> I agree in that flow cache is bad and it should not be used.
Everything is not black or white.
A flow cache can accelerate for example Access Control Lists
and/or firewalling, since only the first packet needs to be
verified.
Cisco just added ACL bypass for firewall, which is a similar feature.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d33da.html
> It only takes x num. of kpps with diverse destinations to knock off a router running flow based caching.
Yep, that is true and its hard to work around.
> Extreme switches use flow based caching (called ipfdb) and any DoS attack that uses
> diverse destinations will kill it pretty quickly..
Cisco's newer stuff does the flow-cache independent of the forwarding, i.e. the
flow is more of an accounting cache.
--Anders, not affiliated with Cisco
More information about the freebsd-net
mailing list