Hello Dennis, I am very happy because somebody is on the same page.
Message: 20 Date: Tue, 30 Jun 2015 14:37:55 -0400 From: Dennis B <infinityape@gmail.com> To: Roland Dobbins <rdobbins@arbor.net> Cc: nanog@nanog.org Subject: Re: GRE performance over the Internet - DDoS cloud mitigation Message-ID: < CAPr+j8J4vs2y8C6AB3FWGhrVF-GLt02inzvxsPs86m2-ChN6eg@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
Depends on what performance considerations you are trying to address, technically.
The question is how can we guarantee the GRE/BGP performance (control traffic) during the time between detection and mitigation?
Exactly
GRE decapsulation? IE: Hardware vs Software?
Software.
Routing of the Protocol over the internet? IE: If the inbound path is saturated, what is the availability of the GRE tunnel?
Yes.
User-experience with GRE packet overhead? IE: TCP Fragmentation causing PMTUD messages for reassembly?
Not the main concern right now, however I would like to hear from you in this ponit as well.
I've worked at Prolexic for 7 years and now Akamai for 1.4 yrs, post acquisition.
We are contacting AKamai for the solution by the way, and we are contacting the Prolexic's founders acquired company defense.net (now F5) as well :)
Immediately, I can think of mul
tiple scenarios' (3) that come to mind on how to solve any one of these categories.
Would you like to learn more? lol
Sure I would love to :) Message: 23
Date: Tue, 30 Jun 2015 16:32:54 -0400 From: Dennis B <infinityape@gmail.com> To: Roland Dobbins <rdobbins@arbor.net> Cc: nanog@nanog.org Subject: Re: GRE performance over the Internet - DDoS cloud mitigation Message-ID: < CAPr+j8LC7h_LLU+j5kwQcvxwLd8Pd+jwP5W7f62Ph2i7g6ZsTg@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
Roland,
Agreed, Ramy's scenario was not truly spot on, but his question still remains. Perf implications when cloud security providers time to detect/mitigate is X minutes. How stable can GRE transports and BGP sessions be when under load?
This is the question.
In my technical opinion, this is a valid argument, which deems wide opinion. Specifically, use-cases about how to apply defense in depth logically in the DC vs Hybrid vs Pure Cloud.
Our defense model will be your so called "in depth logically in the DC", however, we are protecting our NW infrastructure, and we are trying to reach a wholesale agreement in order to protect our customer accordingly. One more thing to elaborate, we have our own DDoS mitigation equipment, and it is located in the edge of the network nearest to the high capacity Internet circuits to minimize the local transit cost. I hope it is clear now. Thanks, Ramy