[j-nsp] reinject traffic from DDoS filtering device

["Rolf Hanßen"]

Hello,

we (Alex and I work for the same company) are speaking about 2 routers + 1
scrubbing device each location/setup and separated ip aggregates each
location.
So all routers will have a direct connection to the scrubbing center (in
and out) as well as external connections (2-5 logical interfaces) as well
as customer connections.
We also do not need to care about internal flooding and we don't need/want
to transport traffic from other routers to a non-attached scrubbing
system.
If the scrubber system fails, redirected traffic will be dropped (we are
aware of this).

It may sound insufficient to you, but keeping the setup as easy as
possible is a main goal here, scaling to dozens of routers does not
matter.

How would I do that redirection with flowspec?

kind regards
Rolf

> On 5 May 2017 at 10:40, "Rolf Hanßen" <nsp at rhanssen.de> wrote:
>> I was wondering if there is maybe even a way to combine that with BGP
>> advertisement.
>> I.e. send a route via bgp that is not installed to the fib but
>> referenced
>> in the filter.
>> Any idea if that is possible?
>
> Flowspec can do this. But do you really have scrubber attached to each
> device, or are you willing to do hop-by-hop filtering to get packet
> where you want it to go? Or is the next-hop labeled and enters LSP
> towards the next-hop? With LSP I could buy-in to the solution.
> It seems very NIH solution, when L3 MPLS VPN exists and is very clean
> and easy to understand solution. And L3 MPLS VPN will easily allow you
> to have multiple scrubbers and route packets to closest one. And as
> you add more services, adding new VPNs for each service is very low
> effort, as BGP already exists, you just need to add the new instance.
> I think you need to have really strong justification to do anything
> else but VRF. Your current justification 'sounds far easier to me', is
> insufficient.
>
>
> --
>   ++ytti
>