[106435] in North American Network Operators' Group
Re: Software router state of the art
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Jul 28 16:42:26 2008
From: Florian Weimer <fw@deneb.enyo.de>
To: Joe Greco <jgreco@ns.sol.net>
Date: Mon, 28 Jul 2008 22:42:08 +0200
In-Reply-To: <200807261307.m6QD7oel005598@aurora.sol.net> (Joe Greco's message
of "Sat, 26 Jul 2008 08:07:49 -0500 (CDT)")
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
* Joe Greco:
> I'm not sure where the claims about "{one, few} flow{s}" are coming from.
> Certainly the number of flows on a typical UNIX box acting as a router is
> not that relevant unless you specifically configure something like
> stateful firewalling, because the typical UNIX box simply doesn't have a
> *concept* of "flows." It deals with packets.
You are mistaken. Linux routing is flow-based. Ever wondered what
those "dst cache overflow" messages mean you see during a DoS attack?
It's the flow cache complaining that it can't expire records in an
organic manner.
I don't know much about FreeBSD. I think it got a route cache after
FreeBSD 4, too. That's the reason why the FreeBSD 4 IP stack is still
so popular.
