How stable can GRE transports and BGP sessions be when under load? I typically protect the BGP session by policing all traffic being delivered to the remote end except for BGP. Using this posture, my BGP session over GRE are stable; even under attack. Kenneth On Jun 30, 2015, at 01:37 PM, Dennis B <infinityape@gmail.com> wrote: Roland, Agreed, Ramy's scenario was not truly spot on, but his question still remains. Perf implications when cloud security providers time to detect/mitigate is X minutes. How stable can GRE transports and BGP sessions be when under load? In my technical opinion, this is a valid argument, which deems wide opinion. Specifically, use-cases about how to apply defense in depth logically in the DC vs Hybrid vs Pure Cloud. Good topic, already some back-chatter personal opinions from Nanog lurkers! Regards, Dennis B. On Tue, Jun 30, 2015 at 2:45 PM, Roland Dobbins <rdobbins@arbor.net> wrote: On 1 Jul 2015, at 1:37, Dennis B wrote: Would you like to learn more? lol I'm quite conversant with all these considerations, thanks. OP asserted that BGP sessions for diversion into any cloud DDoS mitigation service ran from the endpoint network through GRE tunnels to the cloud-based mitigation provider. I was explaining that in most cloud mitigation scenarios, GRE tunnels are used for re-injection of 'clean' traffic to the endpoint networks. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>