[c-nsp] [j-nsp] SRTBH
harbor235
harbor235 at gmail.com
Wed Jul 13 11:30:27 EDT 2022
thanks for the input
Mike
On Thu, Jul 7, 2022 at 10:20 AM Jeff Haas <jhaas at juniper.net> wrote:
> In circumstances where the routing table can help you mitigate an attack,
> including things that use uRPF, it'll usually scale significantly better
> that flowspec. This is primarily because flowspec is just a distributed
> way of programming the firewall, and firewalls on transit routers have many
> dimensions where they don't scale nicely.
>
> That said, the firewall on many of our platforms for "block these sources"
> should scale nicely ... but doesn't in flowspec if you have rules that
> interleave. The interleaving rules interfere with firewall optimization.
>
> The issue above motivates the flowspec v2 work happening in IETF,
> particularly the user-ordered rules.
>
> -- Jeff
>
>
> On 7/7/22, 10:02 AM, "juniper-nsp on behalf of Gert Doering via
> juniper-nsp" <juniper-nsp-bounces at puck.nether.net on behalf of
> juniper-nsp at puck.nether.net> wrote:
>
> [External Email. Be cautious of content]
>
>
> Hi,
>
> On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp
> wrote:
> > Since Flowspec arrived, are there any uses for SRTBH?
>
> Scaling?
>
> My understanding of flowspec is that it is typically implemented by
> programming ACL TCAM, while SRTBH is routing table lookup, so
> "some 10.000 lines" vs. "2-4 million".
>
> OTOH, SRTBH is all-or-nothing, not "only port 80"...
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if
> you
> feed honest figures into a computer, honest figures come out. Never
> doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
>
>
> Juniper Business Use Only
>
More information about the cisco-nsp
mailing list