[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ACLs

To: "Smith, Donald" <Donald.Smith@qwest.com>
Subject: Re: ACLs
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 23 Jul 2003 20:14:36 +0200
Cc: "'George M. Jones'" <gmjones@mitre.org>, Randy Bush <randy@psg.com>, opsec@ops.ietf.org
In-reply-to: <2D00AD0E4D36D411BD300008C786E4240D558FF0@Denntex021.qwest.net> (DonaldSmith's message of "Wed, 23 Jul 2003 11:59:50 -0600")
Mail-followup-to: "Smith, Donald" <Donald.Smith@qwest.com>, "'George M.Jones'" <gmjones@mitre.org>, Randy Bush <randy@psg.com>,opsec@ops.ietf.org
References: <2D00AD0E4D36D411BD300008C786E4240D558FF0@Denntex021.qwest.net>
User-agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (gnu/linux)

"Smith, Donald" <Donald.Smith@qwest.com> writes:

> How about 1000 line acl/ less then 10 millisecond impact?? or something like
> that.

ACL costs are not proportional to line count.  One device can filter
at wirespeed from, say, 30,000 lines of ACLs, to less than 1,000,
depending on the ACL enties.  Requiring a minimum of "mutually
independent ACL entries" (which do not depend on processing order)
might be more feasible.

However, where should we draw the boundary?  IMHO, 100 is far too low
for practical purposes, but why 500, 1000?

In the end, it's also a choice you have as a purchaser.  Even for
GSRs, you can buy a truly ACL-capable OC48 interface right now, but it
has got a certain price tag.  If you don't want to filter in the core,
why should pay the additional price?

To me, this whole ACL issue starts to look more and more like
something which requires vendor documentation, but not necessarily
specific implementations.

Follow-Ups:
- Re: ACLs
  - From: "George M. Jones" <gmjones@mitre.org>
- RE: ACLs
  - From: "David Newman" <dnewman@networktest.com>

References:
- RE: ACLs
  - From: "Smith, Donald" <Donald.Smith@qwest.com>

Prev by Date: RE: ACLs
Next by Date: RE: ACLs
Previous by thread: RE: ACLs
Next by thread: RE: ACLs
Index(es):
- Date
- Thread