On 10/23/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-10-22 18:33]: > > I didn't get that opinion from marketing. > > No matter, we disagree, lets leave it at that. > > well, yeah, nontheless, I wanna point out the essence why stateful is > better (the way we do it in OpenBSD): > > 1) it moves the limit where the box starts to suffer from overload quite > far, or, in other words, the box can handle a much larger amount of > traffic before it starts to drop stuff. thus it can withstand bigger > amounts of (D)DoS too. > 2) once it gets to that point, it is more selective in dropping packets > than a stateless box, as it prefers established connections. this > behaviour cannot be valued enough in (D)DoS type of situations.
I wish to implement things in a way where the link is the limitation, not the box. But there is no point in re-doing that discussion. When I have some time free I'll test it in the lab to see that difference in behaviour. Any ideas of when you will get around to handling assymetric traffic in a stateful way ? /Tony
