GRE performance over the Internet - DDoS cloud mitigation
Good day All, I just want to raise the issue that has not been addressed so far by the DDoS cloud mitigation providers, either in the always-ON solution or the on-demand solution, a BGP session has to be established over a GRE tunnel over the internet between the ISP/NSP/DC and the cloud scrubbing center, the BGP/GRE are used for two main purposes; advertising the victim /24 subnet during the attack, and sending the traffic back to from the scrubbing center to the provider. The question is how can we guarantee the GRE/BGP performance (control traffic) during the time between detection and mitigation? Experts from Arbor, Prolexic(AKAMAI), Radware, Incapsula, Defense.net (F5), Verisign, nexus guard, neustar ......etc are most welcomed to give opinions. Thanks, Ramy "Only the best is good enough"
On 8 Jun 2015, at 17:57, Ramy Hashish wrote:
a BGP session has to be established over a GRE tunnel over the internet between the ISP/NSP/DC and the cloud scrubbing center,
This is incorrect. In most cloud overlay DDoS mitigation scenarios (e.g., end-customer obtains service from an MSSP which isn't providing them with transit), a) there is no BGP relationship whatsoever between the end-customer and the MSSP, and b) the GRE tunnel is used strictly for re-injection of clean traffic (i.e., post-mitigation) to the end-customer. In some scenarios, DNS is also used in place of/in addition to BGP-based diversion. But GRE is used for re-injection only. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Depends on what performance considerations you are trying to address, technically. The question is how can we guarantee the GRE/BGP performance (control traffic) during the time between detection and mitigation? GRE decapsulation? IE: Hardware vs Software? Routing of the Protocol over the internet? IE: If the inbound path is saturated, what is the availability of the GRE tunnel? User-experience with GRE packet overhead? IE: TCP Fragmentation causing PMTUD messages for reassembly? I've worked at Prolexic for 7 years and now Akamai for 1.4 yrs, post acquisition. Immediately, I can think of multiple scenarios' (3) that come to mind on how to solve any one of these categories. Would you like to learn more? lol DB On Mon, Jun 8, 2015 at 7:25 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 8 Jun 2015, at 17:57, Ramy Hashish wrote:
a BGP session has to be established over a GRE tunnel over the internet
between the ISP/NSP/DC and the cloud scrubbing center,
This is incorrect.
In most cloud overlay DDoS mitigation scenarios (e.g., end-customer obtains service from an MSSP which isn't providing them with transit), a) there is no BGP relationship whatsoever between the end-customer and the MSSP, and b) the GRE tunnel is used strictly for re-injection of clean traffic (i.e., post-mitigation) to the end-customer.
In some scenarios, DNS is also used in place of/in addition to BGP-based diversion.
But GRE is used for re-injection only.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 1 Jul 2015, at 1:37, Dennis B wrote:
Would you like to learn more? lol
I'm quite conversant with all these considerations, thanks. OP asserted that BGP sessions for diversion into any cloud DDoS mitigation service ran from the endpoint network through GRE tunnels to the cloud-based mitigation provider. I was explaining that in most cloud mitigation scenarios, GRE tunnels are used for re-injection of 'clean' traffic to the endpoint networks. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Roland, Agreed, Ramy's scenario was not truly spot on, but his question still remains. Perf implications when cloud security providers time to detect/mitigate is X minutes. How stable can GRE transports and BGP sessions be when under load? In my technical opinion, this is a valid argument, which deems wide opinion. Specifically, use-cases about how to apply defense in depth logically in the DC vs Hybrid vs Pure Cloud. Good topic, already some back-chatter personal opinions from Nanog lurkers! Regards, Dennis B. On Tue, Jun 30, 2015 at 2:45 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 1 Jul 2015, at 1:37, Dennis B wrote:
Would you like to learn more? lol
I'm quite conversant with all these considerations, thanks.
OP asserted that BGP sessions for diversion into any cloud DDoS mitigation service ran from the endpoint network through GRE tunnels to the cloud-based mitigation provider. I was explaining that in most cloud mitigation scenarios, GRE tunnels are used for re-injection of 'clean' traffic to the endpoint networks.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
participants (3)
-
Dennis B
-
Ramy Hashish
-
Roland Dobbins