upstream support for flowspec

Daniel Corbe corbe at corbe.net
Thu Sep 18 19:12:29 UTC 2014


Saku Ytti <saku at ytti.fi> writes:

> On (2014-09-18 13:53 -0400), Daniel Corbe wrote:
>
> Hi Daniel,
>
>> This seems like it would be a godsend for small operators like
>> myself who don't have
>> access to unlimited bandwidth and are put off by off-site scrubbing
>> services.  
>> 
>> As far as I can tell though the only platforms that offer support are
>> the 7750-SR and platforms made by Juniper.
>
> Cisco IOS-XR supports flowspec today as well.
>
> How much more would you pay per Mbps/month to have operator offer flowspec?
> IP transit is quite low margin product, supporting flowspec may have some
> adverse effects to business case:
>
> a) you're paying less, as you're not receiving the traffic

This ventures into the realm of an operator doing something responsible
to protect me vs routing me unwanted traffic and going "lol, bill."

If you want to start playing that game, I'm happy to pay more per mbit
of traffic if you're happy to guarantee me that you won't route me
traffic that I'm expressly uninterested in.

> b) operator may get more traffic, as attack does not yield desired
> outcome

Not necessarily true.  If I can identify and push malicious traffic
towards your edge, then you can do the same towards your peers. 

If I can ask you to filter by source, can you turn around and do so by
source *AND* destination?  You know what I'm announcing, so it seems
like this ought to be possible.  Short of that, it would require us to
be in a trust relationship and I can see how that would be problematic.

If we circle back around to paying a premium for the service, then I'm
going to expect you to absorb the attack on my behalf.


>
> And when we look at the feature technically
>
> a) junos does not allow setting flowspec on in FW filters and then apply FW
> filter where you wish to do it, it's automatically turned on for all traffic
> transiting box. This may be undesirable.
>
> b) by default junos accepts all flowspec actions, such as diverting traffic to
> new IP or new VRF. This may cause undesirable security issues.
>
> c) added feature == added complexity == reduced availability

-Daniel


More information about the NANOG mailing list