[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ACLs

To: "George M. Jones" <gmjones@mitre.org>
Subject: Re: ACLs
From: "George M. Jones" <gmjones@mitre.org>
Date: Tue, 29 Jul 2003 15:05:02 -0400
Cc: David Newman <dnewman@networktest.com>, opsec@ops.ietf.org
References: <BAEALKMNKLEELDKGBICPGECEDEAA.dnewman@networktest.com> <3F26C24E.6010606@mitre.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

George M. Jones wrote:

David Newman wrote:
However, where should we draw the boundary? IMHO, 100 is far too low
for practical purposes, but why 500, 1000?
To murky the waters further, there MAY be different costs depending on the
filter criterion -- eg., L3 criteria may be less expensive than L4 or L7
criteria.
True.
Also, the delay on an OC48 is going to be rather different than that for a
DS-1, and that makes absolute numbers not very meaningful in the general
case. Two possible ways to deal with this would be a) state percentage gains
in delay over the no-ACL case; or

So how would you reword the current 2.10.3 to make it both realistic and testable ?

It currently reads:

2.10.3 Ability to Filter Without Performance Degradation

Requirement. The device MUST provide a means to filter packets
without performance degradation. The device MUST be able to filter
on ALL interfaces (up to the maximum number possible)
simultaneously and with multiple filters per interface (e.g.,
inbound and outbound).

Thanks,
---George Jones

References:
- RE: ACLs
  - From: "David Newman" <dnewman@networktest.com>

Prev by Date: Re: ACLs
Next by Date: Re: Ability to withstand well known attacks (fwd)
Previous by thread: RE: ACLs
Next by thread: Re: ACLs
Index(es):
- Date
- Thread