Since DDoS mitigation may be of interest to folks on the OPSEC list, I'm sharing this draft about BGP/flowspec enhancements intended to help with DDoS.
Looking forward to any comments, questions, or criticisms that you might have: -------- Forwarded Message -------- Subject: [Idr] flowspec enhancements Date: Tue, 15 Sep 2015 13:39:29 -0400 From: Wesley Eddy <w...@mti-systems.com> Organization: MTI Systems To: i...@ietf.org CC: Justin Dailey <jus...@mti-systems.com> Hello, we've been working on a few enhancements to the BGP flowspec capabilities that may be of interest: https://tools.ietf.org/html/draft-eddy-idr-flowspec-exp-00 There are several ideas described in the document that could be factored out from one another, but the basic idea is to increase the power of flowspec, mainly for its DDoS mitigation purposes. Specifically, the suggested enhancements include: - add packet rate limitations as an action (not just bitrate) - add support for filtering of tunneled traffic (unencrypted) - identifying flow specifications for tracking and communication between providers - cryptographically signing flowspecs - supporting a more surgical re-route to scrubbing centers - providing feedback about flowspecs to the source If any of these are interesting to folks, we'll appreciate your feedback, comments, questions, etc. Some are more difficult than others. I'm assuming IDR is a reasonable list for this, though it also touches SIDR and OPSEC topics, but will appreciate the chairs' thoughts on this. It has been mentioned in the DOTS list, but is obviously out of scope for DOTS. -- Wes Eddy MTI Systems _______________________________________________ Idr mailing list i...@ietf.org https://www.ietf.org/mailman/listinfo/idr _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
