upstream support for flowspec

• Previous message (by thread): upstream support for flowspec
• Next message (by thread): upstream support for flowspec
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Also, if I'm buying full line rate commit from you then you're not
actually losing any money on the deal whether or not you route me the
traffic.

-Daniel

Daniel Corbe <corbe at corbe.net> writes:

> Saku Ytti <saku at ytti.fi> writes:
>
>> On (2014-09-18 13:53 -0400), Daniel Corbe wrote:
>>
>> Hi Daniel,
>>
>>> This seems like it would be a godsend for small operators like
>>> myself who don't have
>>> access to unlimited bandwidth and are put off by off-site scrubbing
>>> services.  
>>> 
>>> As far as I can tell though the only platforms that offer support are
>>> the 7750-SR and platforms made by Juniper.
>>
>> Cisco IOS-XR supports flowspec today as well.
>>
>> How much more would you pay per Mbps/month to have operator offer flowspec?
>> IP transit is quite low margin product, supporting flowspec may have some
>> adverse effects to business case:
>>
>> a) you're paying less, as you're not receiving the traffic
>
> This ventures into the realm of an operator doing something responsible
> to protect me vs routing me unwanted traffic and going "lol, bill."
>
> If you want to start playing that game, I'm happy to pay more per mbit
> of traffic if you're happy to guarantee me that you won't route me
> traffic that I'm expressly uninterested in.
>
>> b) operator may get more traffic, as attack does not yield desired
>> outcome
>
> Not necessarily true.  If I can identify and push malicious traffic
> towards your edge, then you can do the same towards your peers. 
>
> If I can ask you to filter by source, can you turn around and do so by
> source *AND* destination?  You know what I'm announcing, so it seems
> like this ought to be possible.  Short of that, it would require us to
> be in a trust relationship and I can see how that would be problematic.
>
> If we circle back around to paying a premium for the service, then I'm
> going to expect you to absorb the attack on my behalf.
>
>
>>
>> And when we look at the feature technically
>>
>> a) junos does not allow setting flowspec on in FW filters and then apply FW
>> filter where you wish to do it, it's automatically turned on for all traffic
>> transiting box. This may be undesirable.
>>
>> b) by default junos accepts all flowspec actions, such as diverting traffic to
>> new IP or new VRF. This may cause undesirable security issues.
>>
>> c) added feature == added complexity == reduced availability
>
> -Daniel

• Previous message (by thread): upstream support for flowspec
• Next message (by thread): upstream support for flowspec
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]