> >Bad worst-case scenario?
> >A learning bridge works exactly like that... overloading the
> >bridges MAC table can be countered.
>
> I imagine more that the manufacturer would be tempted to put a slow
> firewall core in a bridging firewall on the assumption that
> much/most of the traffic would not need processing. In a worst-case
> scenario all traffic would need to be processed by the firewall core,
> which, if indeed slow, could cause a serious bottleneck.
That's a BIG assumption...
> In short, it's a good design which could tempt a manufacturer
> to use a bad (performance) design.
Luckily some still go for max performance :)
1,7 Gig throughput on a 1 Gig box... or 125Mbit on a 100Mbit one...
(cleartext)
> Has it been discussed yet whether it would be possible to misdirect frames
> on a bridging firewall by forging source MAC addresses and poisoning (as
> opposed to overwhelming) the forwarding table?
Yes, depending on how you allow the forwarding table to be updated and what
checks you have in place, you can counter/prevent that.
Regards (en vriendlijke groeten)
Diederik
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
