[j-nsp] reinject traffic from DDoS filtering device

Saku Ytti saku at ytti.fi
Thu May 4 17:59:38 EDT 2017

On 5 May 2017 at 00:48, Nikos Leontsinis <nikosietf at gmail.com> wrote:


> you still need to have a way to leak between 2 routing domains.

No. The dirty side of scubber is in VRF and destination for default
route in VRF. Clean side of scrubber is normal INET interface. So
scrubber is 'bridging' the domains. Network itself has clean
separation of VRF and INET, other than cherry picking traffic to VRF
in INET interfaces based on BGP community.

> Let alone the problems that you will have with flowspec...

This is matter of taste. I prefer DCU, because I view flowspec as more
complicated and there easily could be security implications,
particularly if you speak flowspec to your customers.
But overall this is same design as my proposed DCU one.


More information about the juniper-nsp mailing list