[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ACLs

To: <opsec@ops.ietf.org>
Subject: RE: ACLs
From: "David Newman" <dnewman@networktest.com>
Date: Wed, 23 Jul 2003 11:32:03 -0700
In-reply-to: <87y8ypt8j7.fsf@deneb.enyo.de>

> However, where should we draw the boundary?  IMHO, 100 is far too low
> for practical purposes, but why 500, 1000?

To murky the waters further, there MAY be different costs depending on the
filter criterion -- eg., L3 criteria may be less expensive than L4 or L7
criteria.

Also, the delay on an OC48 is going to be rather different than that for a
DS-1, and that makes absolute numbers not very meaningful in the general
case. Two possible ways to deal with this would be a) state percentage gains
in delay over the no-ACL case; or b) use absolute numbers but state the
known threshold delay will degrade a given application's performance.

Caution: From a box-measurement perspective, (b) is a rathole.

dn

References:
- Re: ACLs
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: ACLs
Next by Date: [T1M1SEC] FW: Mgmnt Plane Sec - T1.276-2003 Published 2 Days afterANSI App roval! (fwd)
Previous by thread: Re: ACLs
Next by thread: Re: ACLs
Index(es):
- Date
- Thread