In circumstances where the routing table can help you mitigate an attack,
including things that use uRPF, it'll usually scale significantly better that
flowspec. This is primarily because flowspec is just a distributed way of
programming the firewall, and firewalls on transit routers have many dimensions
where they don't scale nicely.
That said, the firewall on many of our platforms for "block these sources"
should scale nicely ... but doesn't in flowspec if you have rules that
interleave. The interleaving rules interfere with firewall optimization.
The issue above motivates the flowspec v2 work happening in IETF, particularly
the user-ordered rules.
-- Jeff
On 7/7/22, 10:02 AM, "juniper-nsp on behalf of Gert Doering via juniper-nsp"
<juniper-nsp-boun...@puck.nether.net on behalf of juniper-nsp@puck.nether.net>
wrote:
[External Email. Be cautious of content]
Hi,
On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp wrote:
> Since Flowspec arrived, are there any uses for SRTBH?
Scaling?
My understanding of flowspec is that it is typically implemented by
programming ACL TCAM, while SRTBH is routing table lookup, so
"some 10.000 lines" vs. "2-4 million".
OTOH, SRTBH is all-or-nothing, not "only port 80"...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh
Mistress
Gert Doering - Munich, Germany
g...@greenie.muc.de
Juniper Business Use Only
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
