Also, if I'm buying full line rate commit from you then you're not actually losing any money on the deal whether or not you route me the traffic.
-Daniel Daniel Corbe <co...@corbe.net> writes: > Saku Ytti <s...@ytti.fi> writes: > >> On (2014-09-18 13:53 -0400), Daniel Corbe wrote: >> >> Hi Daniel, >> >>> This seems like it would be a godsend for small operators like >>> myself who don't have >>> access to unlimited bandwidth and are put off by off-site scrubbing >>> services. >>> >>> As far as I can tell though the only platforms that offer support are >>> the 7750-SR and platforms made by Juniper. >> >> Cisco IOS-XR supports flowspec today as well. >> >> How much more would you pay per Mbps/month to have operator offer flowspec? >> IP transit is quite low margin product, supporting flowspec may have some >> adverse effects to business case: >> >> a) you're paying less, as you're not receiving the traffic > > This ventures into the realm of an operator doing something responsible > to protect me vs routing me unwanted traffic and going "lol, bill." > > If you want to start playing that game, I'm happy to pay more per mbit > of traffic if you're happy to guarantee me that you won't route me > traffic that I'm expressly uninterested in. > >> b) operator may get more traffic, as attack does not yield desired >> outcome > > Not necessarily true. If I can identify and push malicious traffic > towards your edge, then you can do the same towards your peers. > > If I can ask you to filter by source, can you turn around and do so by > source *AND* destination? You know what I'm announcing, so it seems > like this ought to be possible. Short of that, it would require us to > be in a trust relationship and I can see how that would be problematic. > > If we circle back around to paying a premium for the service, then I'm > going to expect you to absorb the attack on my behalf. > > >> >> And when we look at the feature technically >> >> a) junos does not allow setting flowspec on in FW filters and then apply FW >> filter where you wish to do it, it's automatically turned on for all traffic >> transiting box. This may be undesirable. >> >> b) by default junos accepts all flowspec actions, such as diverting traffic >> to >> new IP or new VRF. This may cause undesirable security issues. >> >> c) added feature == added complexity == reduced availability > > -Daniel
