On 2020-04-23 19:12, Roland Dobbins wrote:
On 23 Apr 2020, at 22:57, Denys Fedoryshchenko wrote:
In general operators don't like flowspec
Its increasing popularity tens to belie this assertion.
Yes, you're right that avoiding overflowing the TCAM is very important. But as Rich notes, a growing number of operators are in fact using flowspec within their own networks, when it's appropriate. One of operators told me why they dont provide flowspec anymore: customers are installing rules by scripts, stacking them, and not removing then when they dont need them anymore. RETN solved that by limiting number of rules customer can install.
Smart network operators tend to do quite a bit of lab testing, prototyping, PoCs, et. al. against the very specific combinations of platforms/linecards/ASICs/OSes/trains/revisions before generally deploying new features and functionality; this helps ameliorate many concerns.
Definitely, and i know some hosting operators who provide Flowspec functionality different way - over their own web interface/API. This way they can do unit tests, and do additional verifications. But if there is direct BGP, things like https://dyn.com/blog/longer-is-not-better/ might happen, if customer is using some exotic, "nightly-build" BGP implementation.