On 2016-05-02 09:16 AM, Martin Bacher wrote:
I mainly agree on that. However, I have not found evidence of inter-AS S-RTBH deployments as of now. This would really require, at least in my understanding, a lot of hacks in order to implement it properly and avoid blackholing of the wrong traffic. BGP-FS is clearly doing a better job in that area. However, Tier 1s and most probably also some of the Tier 2s may not want to offer it to customers because they are loosing money if less traffic is sent downstream on IP-Transit links.
While possibly true in an small number of circumstance, I think that's a fairly naive view of the issue. That said, preventing collateral damage on the trajectory towards network egress was one of the primary drivers for destination-based RTBH (sacrifice the target to save the lot).
Great. Thanks for sharing that. One must just make sure that the tools are used properly. High volume attacks can easily mitigated in many cases with BGP-FS while while other attacks like low bandwidth TCP attacks will have to be mitigated by scrubbing centers.
Even some of those can be mitigated with network and transport layer controls, but certainly, there are places where you need application layer "scrubbing".
@SDN/NFV: I am not so sure if this will really help or make things just more complicated. I have just been told that people are working on netconf/yang solutions for ACL deployments, which may again only work for intra-AS deployments. But your comment is going, at least in my understand, beyond ACL deployments, right? Could you please elaborate a bit further on that.
All these techniques (from ACLs to BGP* to SDN) are all effectively about programming the forwarding path, albeit with more and more granularity, it's just a matter of where and what the management/control plane is. I agree with your intra-AS comment. -danny