upstream support for flowspec

• Previous message (by thread): upstream support for flowspec
• Next message (by thread): upstream support for flowspec
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On (2014-09-18 13:53 -0400), Daniel Corbe wrote:

Hi Daniel,

> This seems like it would be a godsend for small operators like myself who don't have
> access to unlimited bandwidth and are put off by off-site scrubbing
> services.  
> 
> As far as I can tell though the only platforms that offer support are
> the 7750-SR and platforms made by Juniper.

Cisco IOS-XR supports flowspec today as well.

How much more would you pay per Mbps/month to have operator offer flowspec?
IP transit is quite low margin product, supporting flowspec may have some
adverse effects to business case:

a) you're paying less, as you're not receiving the traffic
b) operator may get more traffic, as attack does not yield desired outcome

And when we look at the feature technically

a) junos does not allow setting flowspec on in FW filters and then apply FW
filter where you wish to do it, it's automatically turned on for all traffic
transiting box. This may be undesirable.

b) by default junos accepts all flowspec actions, such as diverting traffic to
new IP or new VRF. This may cause undesirable security issues.

c) added feature == added complexity == reduced availability

-- 
  ++ytti

• Previous message (by thread): upstream support for flowspec
• Next message (by thread): upstream support for flowspec
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]