IETF Logo Mail Archive

Re: [sami] A new draft on state migration use cases is submitted.

Melinda Shore <melinda.shore@gmail.com> Tue, 11 October 2011 06:30 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: sami@ietfa.amsl.com
Delivered-To: sami@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC2EC21F8B1F for <sami@ietfa.amsl.com>; Mon, 10 Oct 2011 23:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C49c-xGfy899 for <sami@ietfa.amsl.com>; Mon, 10 Oct 2011 23:30:07 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 68F9021F8AB0 for <sami@ietf.org>; Mon, 10 Oct 2011 23:30:07 -0700 (PDT)
Received: by gyd12 with SMTP id 12so7576501gyd.31 for <sami@ietf.org>; Mon, 10 Oct 2011 23:30:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=6d47eSvoKHcnzw7RBOzIVZ4juPyXwkqUJ6KdGMC9xxQ=; b=x5kArcHH5kcL/aE05dC7OOdhvuTykhp5UjgCrFw9TcA9YrYOKJiiMEvTE+fV6VpKIe LMpIdpzttEcg8RylqUfn0ZBbtD2bxVFnDFvtW0Vpa+lR6OCe/PG2uLCgdujAj4XaWN7p HxfnBau+pZwxxto+2blUj5nF90YT1tfxQsIG4=
Received: by 10.68.57.3 with SMTP id e3mr42901820pbq.86.1318314606540; Mon, 10 Oct 2011 23:30:06 -0700 (PDT)
Received: from polypro.local (216-67-46-106-rb1.fai.dsl.dynamic.acsalaska.net. [216.67.46.106]) by mx.google.com with ESMTPS id o6sm19858549pbb.1.2011.10.10.23.30.04 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 10 Oct 2011 23:30:05 -0700 (PDT)
Message-ID: <4E93E26A.3060803@gmail.com>
Date: Mon, 10 Oct 2011 22:30:02 -0800
From: Melinda Shore <melinda.shore@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.23) Gecko/20110920 Lightning/1.0b2 Thunderbird/3.1.15
MIME-Version: 1.0
To: zhuozq@ruijie.com.cn
References: <CAB+71L3btz_h8Lkm9jW-WHUeS4=K-Jq-r9mmX94=NdHiepkJ-Q@mail.gmail.com> <2CE4AB2F9CD06543A3F2B0FE76661E12125C8295@fzex.ruijie.com.cn> <20111009160138.GB99820@elstar.local> <000601cc86eb$829967f0$87cc37d0$@com> <2CE4AB2F9CD06543A3F2B0FE76661E12125C85F9@fzex.ruijie.com.cn> <4A95BA014132FF49AE685FAB4B9F17F61209F3D1@dfweml506-mbx> <169529F73649BF469B4F61792955CD5C125E230D@fzex.ruijie.com.cn>
In-Reply-To: <169529F73649BF469B4F61792955CD5C125E230D@fzex.ruijie.com.cn>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: sami@ietf.org
Subject: Re: [sami] A new draft on state migration use cases is submitted.
X-BeenThere: sami@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: State Migration <sami.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sami>, <mailto:sami-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sami>
List-Post: <mailto:sami@ietf.org>
List-Help: <mailto:sami-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sami>, <mailto:sami-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2011 06:30:08 -0000

On 10/10/11 10:06 PM, 卓志强(研七 福州) wrote:
> The "filtering rules" is like ACLs. As the numbers increase, the performance of different software have declined.

I read that paper.  If you go to section 4.3 you'll see that
performance varies with the underlying data structures, and
while ipfilter uses a really witless linear search the others
mentioned do not, and don't show the same performance impacts
from large numbers of installed filter rules:

"The lines for iptables on both figures show clearly the non-scaling 
behaviour of iptables. However both nf- hipac and ipset performed almost 
indifferently with regard of the number of rules. ipset was a tiny bit 
better than nf-hipac, but ipset is more lighter and simpler than 
nf-hipac. The last figure shows the required time to add the given 
number of rules to the kernel. Again, iptables suffers from its linear 
algorithms (which produces exponential behaviour in rule-addition due to 
the cumulating effect) while nf-hipac and ipset are immune from such 
problems."

Melinda

v2.23.0 | Report a Bug | By Email