On 2/18/07, Michael K. Edwards <[EMAIL PROTECTED]> wrote:
... Much less vulnerable to cache eviction DDoS than a hash, because the hot connections get rotated up into non-leaf layers and get traversed enough to keep them in the LRU set.
Let me enlarge on this a bit. I used to work for a company that built a custom firewall/VPN ASIC with all sorts of special sauce in it, mostly focused on dealing with DDoS. Some really smart guys, some really good technology, I hope they grab the brass ring someday. On the scale they were dealing with, there's only one thing to do about DDoS: bend over and take it. Provision enough memory bandwidth to cold-cache every packet, every session lookup, and every packet-processing-progress structure. Massively parallelize, spinlock on on-chip SRAM, tune for the cold-cache case. If you can't afford to do that -- and if you haven't designed your own chip, with separate cache windows for each of these use cases, you can't, because they're all retrograde loads for an LRU cache -- then a hash is not the right answer. The interaction between resizing and RCU is just the canary in the coal mine. Cheers, - Michael - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html