On Tue, 5 Dec 2000, Ben Nagy wrote:
> Both good points. I agree that I wouldn't have a BGP router doing anything
> that could chew up not-well-defined amounts of RAM. According to the docco
> all you can really do to mitigate the RAM problem is set more aggressive
> timeouts, which is probably not enough.
If I couldn't do anything else in this industry, getting people to put
ingress and egress filter rules on border routers would be my first
choice. State or not, just having good filter rules drops so much "bad
stuff" that it's a significant gain. It used to be (and I've no idea if
it still is) that inbound access lists were process switched and outbound
access lists were fast switched, and the performance difference was
meaningful for a router. My current recommendation is that incomming
anti-spoofing rules be inbound on the external interface, and that
everything else be outbound on the appropriate interface, the difference used
to be fairly significant in terms of router CPU utilization and latency
through a router, and people were very edgy about putting large inbound
filter lists on interfaces for that reason.
> So does ipfw do Linux? I know it's stateful but I haven't heard much about
> it in terms of good/bad...
I'm not sure- the new netfilter in 2.4.x kernels contains
CONFIG_IP_NF_MATCH_STATE, which allows stateful packet matching. I
haven't played with it at all yet though. I expect it'll go on my list of
things to dig through once 2.4.x kernels start going in production.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
