BGP FlowSpec

[danny at tcb.net (Danny McPherson)]

On 2016-05-02 09:16 AM, Martin Bacher wrote:

> I mainly agree on that. However, I have not found evidence of inter-AS
> S-RTBH deployments as of now. This would really require, at least in
> my understanding, a lot of hacks in order to implement it properly and
> avoid blackholing of the wrong traffic. BGP-FS is clearly doing a
> better job in that area. However, Tier 1s and most probably also some
> of the Tier 2s may not want to offer it to customers because they are
> loosing money if less traffic is sent downstream on IP-Transit links.

While possibly true in an small number of circumstance, I think that's a 
fairly naive view of the issue.  That said, preventing collateral damage 
on the trajectory towards network egress was one of the primary drivers 
for destination-based RTBH (sacrifice the target to save the lot).


> Great. Thanks for sharing that. One must just make sure that the tools
> are used properly. High volume attacks can easily mitigated in many
> cases with BGP-FS while while other attacks like low bandwidth TCP
> attacks will have to be mitigated by scrubbing centers.

Even some of those can be mitigated with network and transport layer 
controls, but certainly, there are places where you need application 
layer "scrubbing".

> @SDN/NFV: I am not so sure if this will really help or make things
> just more complicated. I have just been told that people are working
> on netconf/yang solutions for ACL deployments, which may again only
> work for intra-AS deployments. But your comment is going, at least in
> my understand, beyond ACL deployments, right? Could you please
> elaborate a bit further on that.

All these techniques (from ACLs to BGP* to SDN) are all effectively 
about programming the forwarding path, albeit with more and more 
granularity, it's just a matter of where and what the management/control 
plane is.  I agree with your intra-AS comment.

-danny