Download now Free registration required
In this paper, the authors look at the problem of choosing a good flow state lookup scheme for IPv6 firewalls. They want to choose a scheme which is fast when dealing with typical traffic, but whose performance will not degrade unnecessarily when subject to a complexity attack. They demonstrate the existing problem and, using captured traffic, assess a number of replacement schemes that are hash and tree based. Their aim is to improve FreeBSD's ipfw firewall, and so finally they implement the most promising replacement schemes. They show that even though they are more costly computationally, they do not noticeably degrade IPv6 forwarding performance.
- Format: PDF
- Size: 157.1 KB