On Mon, 20 Apr 2009, Kip Macy wrote:
... which means you fall back to the ordinary routing lookups, but only
after you have wasted cycles to compute a hash and found out that it
doesn't match anything in your cache -> in this case I would expect only a
degradation in performance, not an improvement.
If your normal operating conditions are DDOS then you have more serious
problems. I said that the system would not collapse as you were in fact
claiming, not that it would perform optimally.
I think a useful test case to exercise this would be to look at the
performance of a real-world benchmark during a simulated synflood from spoofed
source IPs in which you gradually scale up the size of the source IP pool for
the synflood, as compared to running without the flowcache. The overhead of
all the flowcache misses should, presumably, be quite noticeable once it
overflows, as it adds additional locking and lookups (both of which have
historically been very noticeable) I think the important question is not
whether we can measure the overhead (if we can't then we're not testing
right), but whether it leads to a performance collapse that didn't previously
exist.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
