nanog mailing list archives
Re: upstream support for flowspec
From: Daniel Corbe <corbe () corbe net>
Date: Thu, 18 Sep 2014 15:15:41 -0400
Also, if I'm buying full line rate commit from you then you're not actually losing any money on the deal whether or not you route me the traffic. -Daniel Daniel Corbe <corbe () corbe net> writes:
Saku Ytti <saku () ytti fi> writes:On (2014-09-18 13:53 -0400), Daniel Corbe wrote: Hi Daniel,This seems like it would be a godsend for small operators like myself who don't have access to unlimited bandwidth and are put off by off-site scrubbing services. As far as I can tell though the only platforms that offer support are the 7750-SR and platforms made by Juniper.Cisco IOS-XR supports flowspec today as well. How much more would you pay per Mbps/month to have operator offer flowspec? IP transit is quite low margin product, supporting flowspec may have some adverse effects to business case: a) you're paying less, as you're not receiving the trafficThis ventures into the realm of an operator doing something responsible to protect me vs routing me unwanted traffic and going "lol, bill." If you want to start playing that game, I'm happy to pay more per mbit of traffic if you're happy to guarantee me that you won't route me traffic that I'm expressly uninterested in.b) operator may get more traffic, as attack does not yield desired outcomeNot necessarily true. If I can identify and push malicious traffic towards your edge, then you can do the same towards your peers. If I can ask you to filter by source, can you turn around and do so by source *AND* destination? You know what I'm announcing, so it seems like this ought to be possible. Short of that, it would require us to be in a trust relationship and I can see how that would be problematic. If we circle back around to paying a premium for the service, then I'm going to expect you to absorb the attack on my behalf.And when we look at the feature technically a) junos does not allow setting flowspec on in FW filters and then apply FW filter where you wish to do it, it's automatically turned on for all traffic transiting box. This may be undesirable. b) by default junos accepts all flowspec actions, such as diverting traffic to new IP or new VRF. This may cause undesirable security issues. c) added feature == added complexity == reduced availability-Daniel
Current thread:
- upstream support for flowspec Daniel Corbe (Sep 18)
- Re: upstream support for flowspec John Kristoff (Sep 18)
- Re: upstream support for flowspec joel jaeggli (Sep 18)
- Re: upstream support for flowspec Christopher Morrow (Sep 18)
- Re: upstream support for flowspec Youssef Bengelloun-Zahr (Sep 18)
- Re: upstream support for flowspec Saku Ytti (Sep 18)
- Re: upstream support for flowspec Daniel Corbe (Sep 18)
- Re: upstream support for flowspec Daniel Corbe (Sep 18)
- Re: upstream support for flowspec Job Snijders (Sep 18)
- Re: upstream support for flowspec Job Snijders (Sep 18)
- Re: upstream support for flowspec joel jaeggli (Sep 18)
- Re: upstream support for flowspec Daniel Corbe (Sep 18)
- Re: upstream support for flowspec John Kristoff (Sep 18)