[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DataStructure for Storing SPD,SA Entries



At 2:19 PM -0400 10/15/01, Steven M. Bellovin wrote:
>In message <sbcaca2a.040@prv-mail20.provo.novell.com>, "Hilarie Orman" writes:
>>If the SPD's are non-interfering, the hash table is fine.  I'd guess that
>>these are the normal case for most configurations, but it's just a guess.
>>
>
>Sure -- but you have to verify that first, and if there are rules that do
>interfere you need a backup datastructure or you need to expand the
>SPD, which again takes checking and special code.
>
>I'm not objecting to hash tables -- *if* they're applicable.  My note
>was more a caution on applicability.
>
>		--Steve Bellovin, http://www.research.att.com/~smb
>		Full text of "Firewalls" book now at http://www.wilyhacker.com

Since SPD rules are very similar to firewall filters, and these are 
often overlapping, I would not anticipate independence unless great 
care was taken to ensure it.

Steve


References: