lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 21 Apr 2014 14:54:12 -0700
From:	Chema Gonzalez <>
To:	Alexei Starovoitov <>
Cc:	David Miller <>,
	Eric Dumazet <>,
	Daniel Borkmann <>,
	Network Development <>
Subject: Re: [PATCH v2] filter: added BPF random opcode

On Mon, Apr 21, 2014 at 2:46 PM, Alexei Starovoitov <> wrote:
> as I was saying in the other thread, would be nice to see more
> realistic example, since "icmp 1 in 4" can be done in user space...
> What is the real problem being solved?
> I suspect for true packet sampling you'd need to have the knowledge
> of packet rate, potentially computing time delta within filter with
> another extension?
> The patch itself looks good to me.
Random sampling. There's a huge performance penalty if you do this in
user-space. You don't want to send all the packets to user-space to
just get (e.g.) 1 in 1000 and discard all the others.


When dealing with large volumes of network traffic, we can often
derive significant
benefit while minimizing the processing cost by employing sampling.
Generally, this
is done on either a per-packet or per-connection basis. BPF does not
provide access
to pseudo-random numbers, so applications have had to rely on proxies
for random-
ness in terms of network header fields with some semblance of entropy
across packets
(checksum and IP fragment identifier fields) or connections (ephemeral
ports). These
sometimes provide acceptable approximations to random sampling, but
can also suffer
from significant irregularities due to lack of entropy or aliasing;
see [11] for an analysis.

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists