[At the risk of starting yet another flame war...] On Mon, Jun 18, 2012 at 2:31 AM, Ryan McBride <mcbr...@openbsd.org> wrote: > It's not critical because they can change the state table implementation > later - OpenBSD has reorganised this several times with more planned - > but we've put quite a bit of effort into removing hash tables in our > kernel wherever possible, partly due to their attackability.
For what it's worth, DJB just published a paper introducing a new cryptographic PRF "SipHash" that's competitive in performance with other non-cryptographic hashing functions: http://cr.yp.to/siphash/siphash-20120620.pdf In the paper he proposes that using SipHash along with a random per-hash-table key should allow for hash tables that are resistant to hash flooding attacks. I think it would be interesting to see as an experiment how pf performance compares with its current red-black trees vs SipHash-based hash tables.
