>> actually, the formal rpki-based origin-validation stuff is measured >> to take *less* cpu, a lot less, than ACLs > On the platforms which really matter in terms of rPKI, ACLs are > handled in hardware, so this is pretty much a wash.
really? it was measured on a GSR. full check on a prefix, 10usec. that's microseconds. as chris pointed out, though, one pays for having the data in the trie, i.e. in ram. but not a lot. randy
