Announcing the Community FlowSpec trial

Thu Jan 6 00:51:10 UTC 2011

On Wed, Jan 05, 2011 at 05:46:36PM -0600, John Kristoff wrote:
> Friends and colleagues,
> 
> At NANOG 48 I talked about a community flow-spec service we were
> looking at trying to make work.  This is the idea of using IETF RFC
> 5575 to pass around flow-based rules, in this case, primarily for
> dropping unwanted packets.
> 
> This technology is not as widely deployed as traditional RTBH
> techniques for a number of reasons.  However, we thought perhaps it
> was widely used enough, or could be, to justify what might be a
> helpful and free 3rd party feed of flow-spec routes to keep our
> networks a little bit cleaner.
> 
> A trial of this feed based on the traditional bogon routes can be had 
> by contacting me directly.  We realize the traditional IPv4 reserved, 
> special and unallocated IPv4 bogon address is dwindling.  Maybe there 
> is room for some other type of feed, but to justify that, we're 
> looking to see if even enough people would set up this presumably 
> simpler feed to help us and the community get some more experience 
> with multi-hop flow-spec.

As a word of warning to anyone who wants to deploy this on their Juniper 
routers (what other router vendors support it? :P), there are some 
pretty serious performance considerations of which you should be aware.

For example, we discovered that on MX routers (with classic I-chip DPCs, 
the performance should be somewhat better for Trio cards but we haven't 
fully tested the exact numbers yet), installing as few as a dozen 
flowspec routes can create firewall filters that use enough SRAM 
accesses that you will no longer be able to achieve line rate 
packets/sec. With a few more rules, you may find that your 10GE's will 
only be able to handle 3-5Mpps instead of the normal 14.8Mpps. When this 
happens, excess traffic above what the firewall filters can handle will 
be silently discarded, with no indicaton in SNMP or "show interface" 
that you're dropping packets (though you may be able to see it in "show 
pfe statistics traffic" as Info cell drops).

I can't tell you what the performance numbers are for other platforms, 
but anyone thinking about turning on flowspec from a third party source 
(especially one who may be sending them a large number of rules) should 
give serious consideration to the potential impact on their network 
first.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)