On 15 Jan 2020, at 6:37, Lumin Shi wrote:
What we meant by "may not have necessary capacity" is that routers do not have enough CAM/TCAM space to deploy/install ACLs, BGP FlowSpec rules against large-scale DDoS attacks without 1) incurring major collateral damage (e.g., deploy /16 source-based rules instead of /32 so that more DDoS traffic can be filtered while using less CAM/TCAM space), or 2) performance penalties that are introduced by deploying more filters than a router's data plane can support (i.e., data plane to control plane I/O limitation).
We can agree that nothing is infinite, nothing is free. TANSTAAFL. Nevertheless, despite the fact that TCAM space is neither infinite nor free, and while they aren't free in terms of performance, ACLs — whether installed statically or dynamically via flowspec rules — are used every second of every minute of every hour of every day to mitigate large-scale DDoS attacks on large networks. Features do indeed contend for TCAM space, and of course operators want as much as is practicable. LOU expansion can affect how much TCAM space a given ACL consumes on a given ASIC/linecard/platform. On hardware platforms from major vendors, TCAM space can often be carved to allocate features, and operators do this in order to allocate more space for ACL stanzas, or flowspec rules, or whatever. However, as demonstrated above, your thesis as stated is overbroad and directly contradicted by operational reality. A key point is that operators must understand the performance envelopes and characteristics of their infrastructure gear, so that they can avoid causing issues by overtaxing it. Here is a particular .pdf presentation which discusses issues of this nature: <https://app.box.com/s/xznjloitly2apixr5xge> You are not wrong to posit that hardware capacity and capabilities are neither infinite nor free. But that has been well-understood in the operational community for a long time, and is neither novel nor particularly insightful. It certainly isn't a topic that one would imagine merits formal academic investigation, given that it's a commonplace amongst those involved in the operational community. It just isn't an interesting topic, in and of itself. Something broader in terms of operator perception of gaps across the gamut of required DDoS mitigation capabilities at scale would potentially be of more value. Please feel free to contact me 1:1 to discuss further, if you like. -------------------------------------------- Roland Dobbins <roland.dobbins@netscout.com>