Hey Russ, On 10/11/14, 10:07 AM, "Russ White" <[email protected]> wrote:
> >> As I stated in my last E-mail, the IGPs aren't really a good tool for >generic >> flow-spec distribution. Other than perhaps DDoS mitigation, I don't see >>a >real >> use case for flooding the same flow-spec to everyone in the routing >>domain >> or, even worse, flooding everybody's flow-specs everywhere. > >Agreed. It always looks more and more like we need a "generic transport >protocol" for flooding various bits of information through a domain. We >seem >to consistently reject the idea, and then we consistently have ideas >thrown >around about how to do this very same thing in some existing protocol... OSPF is a good choice for quickly disseminating the same piece of information to multiple OSPF routers using the same policy and I believe that the transport instance http://www.ietf.org/id/draft-ietf-ospf-transport-instance-11.txt facilitates this. However, I see flow-spec distribution in the general controller case as being peer specific or even peer interface specific. Do you disagree? The use case in question is mitigating attacks closer to the compromised system by pushing the flow-spec to the customer sites using OSPF as a PE-CE protocol (RFC 4577). Are there any other instances where we¹d want to push the same flow-spec to the routers in an IGP domain using OSPF or ISIS? Thanks, Acee > >Let's just add another AFI to BGP. :-) > >Anyway, OSPF isn't the right place for this sort of thing. > >:-) > >Russ > > > _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
