[c-nsp] BGP flowspec S/RTBH for large DDoS
Saku Ytti
saku at ytti.fi
Thu May 19 07:49:10 EDT 2016
On 19 May 2016 at 14:40, Adam Vitkovsky <Adam.Vitkovsky at gamma.co.uk> wrote:
Hey,
> I'm sorry I wasn't necessarily commenting on your worries, where if i understand it correctly you mentioned that if customer advertises a rule with set next hop to other VRF the rule gets installed allowing him to inject traffic to that VRF -and thus this type of action should be rejected when received via CP-PE eBGP session.
> -did I get it right?
Yes. Incoming traffic to your network could be diverted to arbitrary
VRF or arbitrary next-hop, and what ever actions flow-spec will get in
future.
> In my question I was trying to ask whether the below shortcoming of current flowspec implementations are being addressed.
They are not, but diverting someone elses traffic is addressed by RFC.
--
++ytti
More information about the cisco-nsp
mailing list