North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DoS attacks, NSPs unresponsiveness

  • From: Joe Shaw
  • Date: Thu Nov 02 12:53:40 2000

On Thu, 2 Nov 2000, John Kristoff wrote:

> J Bacher wrote:
> > Some suggestions:
> 
> A response I get is that they won't do it because it has a negative
> performance impact on their routers.  They blame the router vendors. 
> Suggestion 5), someone calculate what performance penalty there is for
> typical router configurations when these filters are applied.  Show some
> performance numbers that make the case for or against filtering.

You'll need to take into account the type of hardware being used, as well
as the platforms ability to take 'compiled' filter lists, like what Cisco
calls Turbo ACL's.  Turbo ACL's require 12.0(1)T and up on the 7200-12000
platforms, and supposedly require the same time to process whether the ACL
is 1 line or 100.  Are there any Tier 1 providers who are using hardware
less powerful than the 7200 series?  Where I'm currently at, we don't use
anything less powerful than the 7200VXR series, with the majority of our
hardware made up of GSR's, but we're not a Tier1 provider either.  Is
there a significant amount of legacy gear deployed out in the Tier-1
networks?

I still think my idea of having the router core logic work in a "I don't
advertise network x.x.x.x, so I don't pass traffic from network
x.x.x.x" manner is an ideal solution, and should work as fast as route
table lookups.  So far, no one has presented a case where opposite
behavior is desirable.

--
Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named because I
don't speak for them here.  I have public opinions, and they don't.