[nsp] MD5 causes biggern problem than it fixes?

Kinczli Zoltán Zoltan.Kinczli at Synergon.hu
Thu Apr 22 10:05:50 EDT 2004


hello,

  While i can't tell you numbers, RFP takes considerably less CPU power than ACL.

Officially:
  "Unicast RPF has minimal CPU overhead and operates at a rate that is smaller percentage lower than CF/OPtimum/Fast switching rates. Unicast RPF has far lower impact on performance as an antispoofing tool than the access-list approach"

  This holds true for general purpose CPU platforms. For asic based platforms
RPF check is usually done in hw, as in the case of C65k/C76k w PFC2/PFC3.
That seems to be "line rate" RPF.

  // however: PRF on pfc2 halves the TCAM, PFC3 is fine //

rgds
  -z.


-----Original Message-----
From: Joe Loiacono [mailto:jloiacon at csc.com]
Sent: Thursday, April 22, 2004 3:17 PM
To: Dan Hollis
Cc: cisco-nsp-bounces at puck.nether.net; cisco-nsp at puck.nether.net
Subject: Re: [nsp] MD5 causes biggern problem than it fixes?



Seems like that *is* the question.



                                                                                                                                      
                      Dan Hollis                                                                                                      
                      <goemon                  To:      Edward Henigin <ed at texas.net>                                                 
                      @anime.net>              cc:      cisco-nsp at puck.nether.net                                                     
                      Sent by:                 Subject: Re: [nsp] MD5 causes biggern problem than it fixes?                           
                      cisco-nsp-bounce                                                                                                
                      s                                                                                                               
                                                                                                                                      
                                                                                                                                      
                      04/21/2004 03:31                                                                                                
                      PM                                                                                                              
                                                                                                                                      
                                                                                                                                      




On Wed, 21 Apr 2004, Edward Henigin wrote:
> Regardless of that hurdle, I don't see filtering as a realistic
> approach, due to, again, the ease of a CPU DOS when you have filters
> in place.  IIRC, my Ciscos do NOT do line-rate ACLs...

How much CPU does RPF take?

-Dan

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Ez az üzenet és a hozzá kapcsolódó fájlok, tervezetek kizárólag a
Címzettnek szólnak, a bennük foglalt információk bizalmasak, melyek
titokban maradásához a Synergon Informatika Rt.-nek jogilag méltányolható
érdeke fuzodik. Amennyiben valamely hiba folytán Ön nem a címzettje ennek a
levélnek, kérjük, semmisítse meg, és értesítse az üzenet küldojét. Az
üzenet az elküldés elott vírusellenorzésen esett át, de a vírusmentességére
nincs semmilyen garancia, ezért kérjük, ellenorizze azt!

DISCLAIMER

This e-mail and any attached files are confidential and may be legally
privileged. The content of this e-mail is subject of efforts by Synergon to
maintain its confidentiality. Also this e-mail is intended for the sole use
of the individual or entity to whom it is addressed. If you are not the
addressee, and received this transmission in error please delete this
e-mail and notify its sender immediately. This e-mail message has been
checked for computer viruses but it could still be infected. Please test it
for viruses before use.





More information about the cisco-nsp mailing list