BGP FlowSpec

Roland Dobbins rdobbins at
Mon May 2 21:38:46 UTC 2016

On 2 May 2016, at 20:16, Martin Bacher wrote:

>  However, Tier 1s and most probably also some of the Tier 2s may not 
> want to offer it to customers because they are loosing money if less 
> traffic is sent downstream on IP-Transit links.

I will go a step further than Danny's comments and state that this is 
categorically and demonstrably untrue.

Many of the quite large 'Tier-1' and 'Tier-2' (using the old 
terminology) operators on this list offer commercial DDoS mitigation 
services making use of technologies like D/RTBH, S/RTBH, IDMS, et. al. 
due to customer demand.  They need these capabilities in order to defend 
their own properties and assets, and they are also offering them to 
end-customers who want and need them.

In point of fact, it's becoming difficult to find one which *doesn't* 
offer this type of service.

There were a couple of situations in the first half of the first decade 
of this millennium where operators took this attitude.  But they changed 
their tunes pretty rapidly once they themselves were impacted, and once 
they started losing customers because they couldn't and wouldn't protect 

And as Danny notes, these technologies are all tools in the toolbox.  
NFV and 'SDN' have tremendous potential to make it a lot easier to bring 
mitigation resources to bear in a dynamic and optimal fashion within 
single spans of administrative control; and there are standards-based 
efforts underway to provide for a higher degree of automation, increased 
rapidity of response, and interoperability in both inter- and 
intra-network DDoS mitigation scenarios.

Roland Dobbins <rdobbins at>

More information about the NANOG mailing list