svn commit: r191259 - head/sys/netinet
Marko Zec
zec at freebsd.org
Mon Apr 20 07:30:13 UTC 2009
On Monday 20 April 2009 09:01:25 Kip Macy wrote:
...
> > But it seems to me that CAM lookups are pretty resilient against DoSing
> > by throwing malicious synthetic flows on them, whereas flow caches will
> > melt down easily.
>
> Actually a CAM is a hardware implementation of a hash table. It has
> the same limitations. To claim that routers don't use flow tables
> because they are handled in hardware is a very strange thing to say.
Well I may be missing something, but TCAMs typically used for routing lookups
are populated by the router's control plane, i.e. routing protocols, which
means that the number of entries in the FIB / TCAM correlates to the size of
RIB, i.e. it definitely doesn't grow / shrink dynamically in response to the
current flow pattern.
And I may not know how CAMs are implemented internally, but I'm not aware of
any current vendor who would use (T)CAMs indexed by a flow hash for routing
lookups. Wouldn't it be a more common case for a TCAM to hold a FIB table,
sorted in a way which lets more specific prefixes having precedence?
i.e.
FIB TCAM
10.0.1.0/24 -> 00001010 00000000 00000001 XXXXXXXX -> output port X
10.0.0.0/8 -> 00001010 XXXXXXXX XXXXXXXX XXXXXXXX -> output port Y
0.0.0.0/0 -> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX -> output port Z
This definitely doesn't change with flows dynamics IMO.
Marko
More information about the svn-src-head
mailing list