[j-nsp] ddos protocol protection - IPv4-unclassified

Saku Ytti saku at ytti.fi
Tue Apr 11 07:25:49 EDT 2017


Hey,

>> b) LPTS only has 'aggregate' (NPU) level policing, ddos-protection has
>> aggregate => ifd => ifl => sub
> I don't really see a need for hierarchical policers and besides the uKernel and RE policers are SW, only the LU has HW policer.

It's not really hierarchical, same packet can't hit many of those,
only one of those. They are all in HW. Without different level of
policers, how do you stop one customer from bringing all customers
down? If all is just aggregate, then one customer can break all
customers.

>> c) There is no log information of what is causing LPTS or XIPC to drop packets
>>
> Not sure what you mean you're getting no info or insufficient info? Cause although native LPTS alerting doesn't exist it can be done with a TCL script applied through EEM.

Alerting how? To actually know what packets you're dropping, you'd
need to capture NPU counters, tricky thing to do and causes short
outage in older versions.

> Hmm but even if it was, the session would have to time-out first so during the timeout period the "good" session could be affected/starved out.

Quite. Only solution, as far as I can see, is to create more-specific
solution for offenders, removing stress from the aggregate one.


-- 
  ++ytti


More information about the juniper-nsp mailing list