[c-nsp] [j-nsp] SRTBH

harbor235 harbor235 at gmail.com
Wed Jul 13 11:30:27 EDT 2022


thanks for the input

Mike

On Thu, Jul 7, 2022 at 10:20 AM Jeff Haas <jhaas at juniper.net> wrote:

> In circumstances where the routing table can help you mitigate an attack,
> including things that use uRPF, it'll usually scale significantly better
> that flowspec.  This is primarily because flowspec is just a distributed
> way of programming the firewall, and firewalls on transit routers have many
> dimensions where they don't scale nicely.
>
> That said, the firewall on many of our platforms for "block these sources"
> should scale nicely ... but doesn't in flowspec if you have rules that
> interleave.  The interleaving rules interfere with firewall optimization.
>
> The issue above motivates the flowspec v2 work happening in IETF,
> particularly the user-ordered rules.
>
> -- Jeff
>
>
> On 7/7/22, 10:02 AM, "juniper-nsp on behalf of Gert Doering via
> juniper-nsp" <juniper-nsp-bounces at puck.nether.net on behalf of
> juniper-nsp at puck.nether.net> wrote:
>
>     [External Email. Be cautious of content]
>
>
>     Hi,
>
>     On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp
> wrote:
>     > Since Flowspec arrived, are there any uses for SRTBH?
>
>     Scaling?
>
>     My understanding of flowspec is that it is typically implemented by
>     programming ACL TCAM, while SRTBH is routing table lookup, so
>     "some 10.000 lines" vs. "2-4 million".
>
>     OTOH, SRTBH is all-or-nothing, not "only port 80"...
>
>     gert
>     --
>     "If was one thing all people took for granted, was conviction that if
> you
>      feed honest figures into a computer, honest figures come out. Never
> doubted
>      it myself till I met a computer with a sense of humor."
>                                  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
>     Gert Doering - Munich, Germany
> gert at greenie.muc.de
>
>
> Juniper Business Use Only
>


More information about the cisco-nsp mailing list