[j-nsp] reinject traffic from DDoS filtering device
Dragan Jovicic
draganj84 at gmail.com
Thu May 4 18:11:03 EDT 2017
>
> particularly if you speak flowspec to your customers.
>
We don't. This is for intradomain use. We use different methods to sell
wholesale ddos scrubbing along with normal RTBH (which still suffices to
most customers).
But it is quite possible we might give some customers flowspec peering in
the future.
Let alone the problems that you will have with flowspec...
>
Such as?
But overall this is same design as my proposed DCU one.
It is exactly like this, in fact we used something similar but switched to
flowspec.
+Dragan
On Thu, May 4, 2017 at 11:59 PM, Saku Ytti <saku at ytti.fi> wrote:
> On 5 May 2017 at 00:48, Nikos Leontsinis <nikosietf at gmail.com> wrote:
>
> Hey,
>
> > you still need to have a way to leak between 2 routing domains.
>
> No. The dirty side of scubber is in VRF and destination for default
> route in VRF. Clean side of scrubber is normal INET interface. So
> scrubber is 'bridging' the domains. Network itself has clean
> separation of VRF and INET, other than cherry picking traffic to VRF
> in INET interfaces based on BGP community.
>
> > Let alone the problems that you will have with flowspec...
>
> This is matter of taste. I prefer DCU, because I view flowspec as more
> complicated and there easily could be security implications,
> particularly if you speak flowspec to your customers.
> But overall this is same design as my proposed DCU one.
>
> --
> ++ytti
>
More information about the juniper-nsp
mailing list