Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison

Abstract

In this paper we look at the problem of choosing a good flow statelookup scheme for IPv6 firewalls. We want to choose a scheme whichis fast when dealing with typical traffic, but whose performancewill not degrade unnecessarily when subject to a complexity attack.We demonstrate the existing problem and, using captured traffic,assess a number of replacement schemes that are hash and tree based.Our aim is to improve FreeBSD's ipfw firewall, and so finally weimplement the most promising replacement schemes. We show that eventhough they are more costly computationally, they do not noticeablydegrade IPv6 forwarding performance.