Tom McMillan
2007-Jun-28 16:02 UTC
[crossbow-discuss] Does any other ethernet device which interfaces to Crossbow...
have the ability to discard flows? The Neptune ASIC can discard any flow in its TCAM. That is, one can define a network flow, and then ask the chip to discard all packets that meet such a definition. This could be useful in certain scenarios - e.g., Denial of Service (DoS) attacks. Does any other device have this ability? If so, it might be useful to file an RFE for Crossbow to allow this sort of administration. -- --------------------------------------------------------------- Tom McMillan Sun Microsystems, Inc. (858) 526-9278 x55278
Garrett D''Amore
2007-Jun-28 16:12 UTC
[crossbow-discuss] Does any other ethernet device which interfaces to Crossbow...
Tom McMillan wrote:> have the ability to discard flows? > > The Neptune ASIC can discard any flow in its TCAM. That is, one can > define > a network flow, and then ask the chip to discard all packets that meet > such a definition. > > This could be useful in certain scenarios - e.g., Denial of Service > (DoS) attacks. > > Does any other device have this ability? If so, it might be useful to > file an RFE for > Crossbow to allow this sort of administration. >We''ve talked about this already. Actually, any device that can set up a separate rx ring could do this, because all you''d have to do is let the rx ring fill up and never service it. One would assume that the device would just discard any new such packets. But I''m pretty sure that the broadcom classifier found in bnx is capable of it. Not so sure about bge. -- Garrett
Kais Belgaied
2007-Jun-28 21:35 UTC
[crossbow-discuss] Does any other ethernet device which interfaces to Crossbow...
Garrett D''Amore wrote:> Tom McMillan wrote: > >> have the ability to discard flows? >> >> The Neptune ASIC can discard any flow in its TCAM. That is, one can >> define >> a network flow, and then ask the chip to discard all packets that >> meet such a definition. >> >> This could be useful in certain scenarios - e.g., Denial of Service >> (DoS) attacks. >> >> Does any other device have this ability? If so, it might be useful >> to file an RFE for >> Crossbow to allow this sort of administration. >> > > We''ve talked about this already. >I''d like actually to hear from other hardware vendors about their support of such feature Kais.> Actually, any device that can set up a separate rx ring could do this, > because all you''d have to do is let the rx ring fill up and never > service it. One would assume that the device would just discard any > new such packets. > > But I''m pretty sure that the broadcom classifier found in bnx is > capable of it. Not so sure about bge. > > -- Garrett > > _______________________________________________ > crossbow-discuss mailing list > crossbow-discuss at opensolaris.org > http://opensolaris.org/mailman/listinfo/crossbow-discuss