FlowSpec
Denys Fedoryshchenko
nuclearcat at nuclearcat.com
Thu Apr 23 16:31:24 UTC 2020
On 2020-04-23 19:12, Roland Dobbins wrote:
> On 23 Apr 2020, at 22:57, Denys Fedoryshchenko wrote:
>
>> In general operators don't like flowspec
>
> Its increasing popularity tens to belie this assertion.
>
> Yes, you're right that avoiding overflowing the TCAM is very
> important. But as Rich notes, a growing number of operators are in
> fact using flowspec within their own networks, when it's appropriate.
One of operators told me why they dont provide flowspec anymore:
customers are installing rules by scripts, stacking them,
and not removing then when they dont need them anymore.
RETN solved that by limiting number of rules customer can install.
>
> Smart network operators tend to do quite a bit of lab testing,
> prototyping, PoCs, et. al. against the very specific combinations of
> platforms/linecards/ASICs/OSes/trains/revisions before generally
> deploying new features and functionality; this helps ameliorate many
> concerns.
Definitely, and i know some hosting operators who provide Flowspec
functionality
different way - over their own web interface/API. This way they can do
unit tests,
and do additional verifications.
But if there is direct BGP, things like
https://dyn.com/blog/longer-is-not-better/
might happen, if customer is using some exotic, "nightly-build" BGP
implementation.
More information about the NANOG
mailing list