* "Roland Dobbins" <rdobbins@arbor.net>
On 12 Jan 2015, at 16:19, Tore Anderson wrote:
I'd love to use flowspec over D/RTBH, but to me it seems like vapourware.
I meant on your own infrastructure, apologies for the confusion.
Right. So if I first need to accept the traffic onto my infrastructure before I can discard it, I'm dead in the water anyway: My uplinks will sit there at 100% ingress utilisation, dropping legitimate traffic. /32 or /128 D/RTBH announcements towards my transits is my only real option at this point. That helps protect against collateral damage, and if the customer's audience is local, it can also restore full operation for the attacked customer's primary markets (which are usually reached via peers instead of transits). For attacks that are conveniently sized smaller than my upstream capacity, I could see that flowspec could be useful, but not in a unique way, as inside my own network I can easily distribute targeted stateless discard ACLs in many other ways too (I use Netconf currently).
Transit providers utilizing Juniper aggregation edge routers could do it now - why they don't, I don't know.
I'd definitively be willing to pay a premium for such a feature. Tore