NANOG Digest, Vol 90, Issue 1

• Previous message (by thread): United Airlines is Down (!) due to network connectivity problems
• Next message (by thread): NANOG Digest, Vol 90, Issue 1
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Dennis,

I am very happy because somebody is on the same page.


> Message: 20
> Date: Tue, 30 Jun 2015 14:37:55 -0400
> From: Dennis B <infinityape at gmail.com>
> To: Roland Dobbins <rdobbins at arbor.net>
> Cc: nanog at nanog.org
> Subject: Re: GRE performance over the Internet - DDoS cloud mitigation
> Message-ID:
>         <
> CAPr+j8J4vs2y8C6AB3FWGhrVF-GLt02inzvxsPs86m2-ChN6eg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Depends on what performance considerations you are trying to address,
> technically.
>
> The question is how can we guarantee the GRE/BGP performance (control
> traffic) during the time between detection and mitigation?
>
>
Exactly


> GRE decapsulation?
> IE: Hardware vs Software?
>

Software.


> Routing of the Protocol over the internet?
> IE: If the inbound path is saturated, what is the availability of the GRE
> tunnel?
>

Yes.


> User-experience with GRE packet overhead?
> IE: TCP Fragmentation causing PMTUD messages for reassembly?
>
>
Not the main concern right now, however I would like to hear from you in
this ponit as well.


> I've worked at Prolexic for 7 years and now Akamai for 1.4 yrs, post
> acquisition.
>
>
We are contacting AKamai for the solution by the way, and we are contacting
the Prolexic's founders acquired company defense.net (now F5) as well :)


> Immediately, I can think of mul



> tiple scenarios' (3) that come to mind on
> how to solve any one of these categories.
>
> Would you like to learn more? lol
>
>
Sure I would love to :)


Message: 23
> Date: Tue, 30 Jun 2015 16:32:54 -0400
> From: Dennis B <infinityape at gmail.com>
> To: Roland Dobbins <rdobbins at arbor.net>
> Cc: nanog at nanog.org
> Subject: Re: GRE performance over the Internet - DDoS cloud mitigation
> Message-ID:
>         <
> CAPr+j8LC7h_LLU+j5kwQcvxwLd8Pd+jwP5W7f62Ph2i7g6ZsTg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Roland,
>
> Agreed, Ramy's scenario was not truly spot on, but his question still
> remains. Perf implications when cloud security providers time to
> detect/mitigate is X minutes. How stable can GRE transports and BGP
> sessions be when under load?
>
>
This is the question.


> In my technical opinion, this is a valid argument, which deems wide
> opinion. Specifically, use-cases about how to apply defense in depth
> logically in the DC vs Hybrid vs Pure Cloud.
>
>
Our defense model will be your so called "in depth logically in the DC",
however, we are protecting our NW infrastructure, and we are trying to
reach a wholesale agreement in order to protect our customer accordingly.

One more thing to elaborate, we have our own DDoS mitigation equipment, and
it is located in the edge of the network nearest to the high capacity
Internet circuits to minimize the local transit cost.

I hope it is clear now.

Thanks,

Ramy

• Previous message (by thread): United Airlines is Down (!) due to network connectivity problems
• Next message (by thread): NANOG Digest, Vol 90, Issue 1
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]