Re: MACs need to pay attention to small-packet performance

From: David Wagner (
Date: 09/26/04

Date: Sun, 26 Sep 2004 18:07:05 +0000 (UTC)

D. J. Bernstein wrote:
>Ethernet is moving up to 10Gbps; many people have 1Gbps; tons of people
>run at 100Mbps.

Ethernet speeds are pretty much irrelevant in this context. It is the
Internet that is usually the risk, not other users on the same subnet.
And very few people have a 1Gbps link to the Internet.

>> Most applications are susceptible to far worse application-level DoS
>> attacks.
>And some applications aren't. In fact, many of my computers deal _only_
>with authorized users. I want to maintain service to those users through
>a flood. The only bottlenecks are (1) network capacity and (2) CPU time
>for discarding packets from unauthorized users.

Ok, if you're in that situation and you have a 1Gbps link to the outside
world, then you should worry about this risk. I'm not saying no one
is in this situation -- I'm just saying that you are a very rare case.
For the overwhelming majority of users, there is no need to worry about
DoS attacks on symmetric-key modes of operation.

>There is, furthermore, a simple solution to the ``application-level''
>floods: require all users to pay in advance for their resource use. Hey,
>go ahead and use my CPU time, as long as you pay me for it!

Sure, it is conceptually simple. But in practice, there are huge
barriers. First, there is currently no payment infrastructure. Second,
many people want to offer services for free. If people were forced to
pay to view my website, they wouldn't view it; if I want people to view
my website, that's a loss.