RE: draft status, BoF, replies to issues

[Ross Callon <rcallon@juniper.net>]

>Over what period do you need to keep these counts?
>Realize that a 32-bit counter can track up to 4,294,967,295 events. How
>long would the typical filter need to count its hits to exceed that
>capacity?

Well, today there is a significant amount of OC192 deployed. There 
are also millions of home DSL subscribers who have pretty much 
no protection on their home systems, implying that DoS attacks can
potentially be pretty large. Suppose that a DoS attack is launched 
against an OC192 link with enough bandwidth to fill up the link with 
40 byte packets (this probably implies that the attack is not using 
the same packet format as the original infection). Suppose that you 
turn on a filter on the link which discards all of the bogus packets 
successfully, and you are counting the filter hits in a 32 bit counter.

If I am doing the math right:

         - 10,000,000,000 bbs (OC192) divided by 40 bytes per packet 
         - implies 31,250,000 packets per second are being hit by the 
           filter. 

Assuming that the 32 bit number is a positive integer (so that you
don't have a sign bit, and can count all the way up to (2^32)-1:

This will wrap around in a little more than two minutes.

Which implies that 64 bit counters are a good idea, at least in 
some cases. 

Ross