Request comment: list of IPs to block outbound

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Tue Oct 22 12:28:10 UTC 2019


> From: Saku Ytti <saku at ytti.fi>
> Sent: Tuesday, October 22, 2019 11:54 AM
> 
> On Mon, 21 Oct 2019 at 23:14, <adamv0025 at netconsultings.com> wrote:
> 
> > The obvious drawback especially for TCAM based systems is the scale,
> > so not only we'd need to worry if our FIB can hold 800k prefixes, but
> > also if the filter memory can hold the same amount -in addition to
> > whatever additional filtering we're doing at the edge (comb filters
> > for DoS protection etc...)
> 
> This is actually somewhat cheap problem, if you optimise for it. That is rules
> are somewhat expensive, but N prefixes per rule are not, when designed
> with that requirement. Certainly the BOM effect can be entirely ignored.
> However this is of course only true if that was design goal, won't help in a
> situation where HW is in place and doesn't not scale there. Just pointing out
> that there are no technical or commercial problems getting there, should we
> so want.
> 
Well sure if BGP prefix=ACL prefix was true from the get go both scaling problems would be catered for in unison and we wouldn't even notice.
People here would be asking for recommendations on new/replacement edge router that can support 1M routes and filter entries...
But the reality is that long filters can  significantly decrease performance of modern (supporting 100G interfaces) NPUs/PFEs.

adam




More information about the NANOG mailing list