----- On 13 Jul, 2018, at 11:30, Saku Ytti s...@ytti.fi wrote:
> On Fri, 13 Jul 2018 at 06:19, Antti Ristimäki <antti.ristim...@csc.fi> wrote:
>
>> I can see the reasoning behind disabling sub detection, but how would you
>> then
>> protect e.g. in a peering VLAN a single peer from killing also all the other
>> BGP sessions behind that specific ifl?
>
> I'm sure you were anticipating my answer, you don't.
>
> I don't think there is reasonable way to make shared LAN termination
> safe. The sub detection _MIGHT_ work against some unintentional ddos
> vectors in shared LAN, but it can't really work for intentional ddos
> vectors. MX model I was testing against had about 4k policers for
> DDoS, plenty for reasonably protecting protocol*ifl with dynamic
> detection (with static policers, not very reasonable even there). But
> 4k for sub detection? Just use 4k source ports and you congest the
> policers, and when that happens they are compressed to next-level
> (ifl) anyhow.
> But just being able to limit collateral damage to IFL level is huge,
> no other vendor can do it AFAIK.
Right. Also if one has a host in a let's say /64 IPv6 subnet, (s)he can send
traffic towards the router from quite a many source addresses and thus deplete
the policers.
Antti
--
CSC - Tieteen tietotekniikan keskus Oy:n asiakas- seka sidosryhmarekisterien
henkilotietojen kasittely kuvataan tietosuojaselosteissa:
https://www.csc.fi/tietosuoja
CSC - IT Center for Science Ltd processes customer and other stakeholder
personal information in the following way:
https://www.csc.fi/privacy
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
