Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison

被引:0
作者
Malone, David
Tobin, R. Joshua
机构
来源
EC2ND 2008: FOURTH ANNUAL EUROPEAN CONFERENCE ON COMPUTER NETWORK DEFENSE, PROCEEDINGS | 2008年
关键词
D O I
10.1109/EC2ND.2008.9
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
In this paper we look at the problem of choosing a good flow state lookup scheme for IPv6 firewalls. We want to choose a scheme which is fast when dealing with typical traffic, but whose performance will not degrade unnecessarily when subject to a complexity attack. We demonstrate the existing problem and, using captured traffic, assess a number of replacement schemes that are hash and tree based. Our aim is to improve FreeBSD's ipfw firewall, and so finally we implement the most promising replacement schemes. We show that even though they art, more costly computationally, they do not noticeably degrade IPv6 forwarding performance.
引用
收藏
页码:19 / 24
页数:6
相关论文
共 13 条
[1]   RANDOMIZED SEARCH-TREES [J].
ARAGON, CR ;
SEIDEL, RG .
30TH ANNUAL SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE, 1989, :540-545
[2]  
Bayer R., 1972, Acta Informatica, V1, P290, DOI 10.1007/BF00289509
[3]  
BERNSTEIN D, 1990, RE HASH WHAT ARE LAT
[4]  
CARTER JL, 1979, J COMPUT SYST SCI, V18, P143, DOI 10.1016/0022-0000(79)90044-8
[5]  
CROSBY S, 2003, P 12 USENIX SEC S AU
[6]  
GUPTA P, 2000, IFIP NETWORKING, P528
[7]  
Hartmeier D, 2002, USENIX ASSOCIATION PROCEEDINGS OF THE FREENIX TRACK, P171
[8]  
PAGH R, 2001, BRICS REPORT SERIES
[9]   FAST HASHING OF VARIABLE-LENGTH TEXT STRINGS [J].
PEARSON, PK .
COMMUNICATIONS OF THE ACM, 1990, 33 (06) :677-680
[10]  
QIU LL, 2001, P ACM SIGMETRICS
12