[j-nsp] SRTBH

Thu Jul 7 10:20:01 EDT 2022

In circumstances where the routing table can help you mitigate an attack, including things that use uRPF, it'll usually scale significantly better that flowspec.  This is primarily because flowspec is just a distributed way of programming the firewall, and firewalls on transit routers have many dimensions where they don't scale nicely.

That said, the firewall on many of our platforms for "block these sources" should scale nicely ... but doesn't in flowspec if you have rules that interleave.  The interleaving rules interfere with firewall optimization.

The issue above motivates the flowspec v2 work happening in IETF, particularly the user-ordered rules.

-- Jeff

On 7/7/22, 10:02 AM, "juniper-nsp on behalf of Gert Doering via juniper-nsp" <juniper-nsp-bounces at puck.nether.net on behalf of juniper-nsp at puck.nether.net> wrote:

    [External Email. Be cautious of content]

    Hi,

    On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp wrote:
    > Since Flowspec arrived, are there any uses for SRTBH?

    Scaling?

    My understanding of flowspec is that it is typically implemented by
    programming ACL TCAM, while SRTBH is routing table lookup, so
    "some 10.000 lines" vs. "2-4 million".

    OTOH, SRTBH is all-or-nothing, not "only port 80"...

    gert
    --
    "If was one thing all people took for granted, was conviction that if you
     feed honest figures into a computer, honest figures come out. Never doubted
     it myself till I met a computer with a sense of humor."
                                 Robert A. Heinlein, The Moon is a Harsh Mistress

    Gert Doering - Munich, Germany                             gert at greenie.muc.de

Juniper Business Use Only