[nsp] MD5 causes biggern problem than it fixes?
Edward Henigin
ed at texas.net
Wed Apr 21 15:50:23 EDT 2004
On Wed, Apr 21, 2004 at 12:31:44PM -0700, Dan Hollis said:
> On Wed, 21 Apr 2004, Edward Henigin wrote:
> > Regardless of that hurdle, I don't see filtering as a realistic
> > approach, due to, again, the ease of a CPU DOS when you have filters
> > in place. IIRC, my Ciscos do NOT do line-rate ACLs...
>
> How much CPU does RPF take?
If you're suggesting that RPF is a solution in this case, please
elaborate. I suspect that most border routers are like mine and
require "reachable-via any".
If you're suggesting that ACLs would be processed at the same rate
as RPF, then I just don't know the answer. All I know is access-lists
on Ciscos puts you at high risk for CPU DOS.
Ed
More information about the cisco-nsp
mailing list