Complexity attack resistant flow lookup achemes for IPv6: a measurement based comparison
Malone, David and Tobin, R. Joshua (2008) Complexity attack resistant flow lookup achemes for IPv6: a measurement based comparison. In: Proceedings, Fourth annual European Conference on Computer Network Defense. EC2ND 2008, December 11th & 12th 2008, Dublin City University, Dublin, Ireland.
In this paper we look at the problem of choosing a good flow state lookup scheme for IPv6 firewalls. We want to choose a scheme which is fast when dealing with typical traffic, but whose performance will not degrade unnecessarily when subject to a complexity attack. We demonstrate the existing problem and, using captured traffic, assess a number of replacement schemes that are hash and tree based. Our aim is to improve FreeBSD’s ipfw firewall, and so finally we implement the most promising replacement schemes. We show that even though they are more costly computationally, they do not noticeably degrade IPv6 forwarding performance.
Repository Staff Only: item control page