[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DataStructure for Storing SPD,SA Entries
At 2:19 PM -0400 10/15/01, Steven M. Bellovin wrote:
>In message <sbcaca2a.040@prv-mail20.provo.novell.com>, "Hilarie Orman" writes:
>>If the SPD's are non-interfering, the hash table is fine. I'd guess that
>>these are the normal case for most configurations, but it's just a guess.
>>
>
>Sure -- but you have to verify that first, and if there are rules that do
>interfere you need a backup datastructure or you need to expand the
>SPD, which again takes checking and special code.
>
>I'm not objecting to hash tables -- *if* they're applicable. My note
>was more a caution on applicability.
>
> --Steve Bellovin, http://www.research.att.com/~smb
> Full text of "Firewalls" book now at http://www.wilyhacker.com
Since SPD rules are very similar to firewall filters, and these are
often overlapping, I would not anticipate independence unless great
care was taken to ensure it.
Steve
References: