[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
>>>>> "Kanta" == Kanta Matsuura <kanta@imailab.iis.u-tokyo.ac.jp> writes:
Kanta> Paul, Since I also think CPU protection is important,
Kanta> ... My opinion is that CPU is
Kanta> more important in a sense that memory exhaustion can be
Kanta> numerically evaluated... Do you have any other reasons (why the
Kanta> most significant resource is CPU power rather than state
Kanta> memory) ?
Several reasons.
Adding memory is generally far easier than adding CPU power.
Available memory sizes are very large and growing very quickly. CPU
power doesn't grow nearly as quickly. That is particularly true when
you look at packet processing. In that case, the limits often involve
the speed of your I/O bus, which tends to be slow and evolving very
slowly indeed.
Any protective or recovery action consumes CPU cycles. If you're low
on CPU cycles, that's a problem. So if the problem is memory
shortage, you probably still have CPU capacity left to resolve it.
In general, routers or devices like that have little if any problem in
managing memory shortages. CPU shortages are another matter. Many
system designs suffer from malfunction under overload, so that some
things that have to get done do not get done because the CPU is too
busy doing other things that have been given higher priority. It's
possible to do system design that avoids these issues, and it is wise
to do so, but that also depends on having the right hardware
structures. (And the right software religion...)
paul
Kanta> Paul Koning <pkoning@xedia.com> wrote:
Anderson> (2) Risk is reduced by minimizing set-up time and
Anderson> maximizing non-setup processing (time).
>>> No. Time is not of the essence. The essential issue is the
>>> resources consumed before good requests can be distinguished from
>>> bad ones. The most significant resource is CPU power; the
>>> secondary one is state memory.