Re: BGP FlowSpec support on provider networks
> Now I realize that FlowSpec isn't a panacea, but it certainly meets some > of the requirements that many customers have today, and it gives us a > lot more flexibility over simply destination based filtering. Whether > it's FlowSpec or something else, what's it going to take to get the > vendors and the providers to start moving forward on technologies that > are way overdue given the current trend of worms, botnets, and other > Internet nastiness? Well, pretty clearly it's going to have to be multivendor, and not IPR encumbered. Aside from that, of course, the usual advice is to talk to your SE and vote with your wallet. >From our point of view, BGP triggered destination-based filtering is still one of our most important tools. We have thought about FlowSpec but haven't felt the need sufficiently strongly. Due to M&A we are now moving to a mixed Cisco/Juniper network - and FlowSpec is no longer all that interesting since Cisco doesn't implement it. Steinar Haug, Nethelp consulting, sth...@nethelp.no
RE: BGP FlowSpec support on provider networks
> -Original Message- > From: Jared Mauch [mailto:ja...@puck.nether.net] > >> Can you name 3 major vendors who support it? I suspect more > >> providers would > > > > juniper... and when they dropped the IPR stuff other vendors > basically > > walked away :( > > Causing consultations with lawyers by others involved with the draft. > Life is interesting. > > IPR, Politics and techie communication skills. The path to failure. I am familiar with the situation with the IPR and I have to say it's a very disappointing turn of events. I've long held Juniper in high regard as a leader in innovation, but in this instance I feel their actions are doing quite the opposite. That aside, it's 2009 and we're still left with a situation where methodologies which have been used for roughly a decade now (i.e. BGP triggered destination-based filtering) is still considered the norm. Now I realize that FlowSpec isn't a panacea, but it certainly meets some of the requirements that many customers have today, and it gives us a lot more flexibility over simply destination based filtering. Whether it's FlowSpec or something else, what's it going to take to get the vendors and the providers to start moving forward on technologies that are way overdue given the current trend of worms, botnets, and other Internet nastiness? Stefan Fouant: NeuStar, Inc. Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ] +1 202 210 2075 [ E ] stefan.fou...@neustar.biz [ W ] www.neustar.biz
Re: BGP FlowSpec support on provider networks
On Apr 11, 2009, at 12:54 AM, Christopher Morrow wrote: On Fri, Apr 10, 2009 at 6:38 PM, John Payne wrote: On Apr 10, 2009, at 4:27 PM, "Fouant, Stefan" > wrote: Hi folks, I am trying to compile data on which providers are currently supporting BGP Flowspec at their edge, if there are any at all. The few providers I've reached out to have indicated they do not support this and have no intention of supporting this any time in the near future. I'm also curious why something so useful as to have the ability to advertise flow specification information in NLRI and distribute filtering information is taking so long to gain a foothold in the industry... Can you name 3 major vendors who support it? I suspect more providers would juniper... and when they dropped the IPR stuff other vendors basically walked away :( Causing consultations with lawyers by others involved with the draft. Life is interesting. IPR, Politics and techie communication skills. The path to failure. - Jared
Re: BGP FlowSpec support on provider networks
On Fri, Apr 10, 2009 at 6:38 PM, John Payne wrote: > > > On Apr 10, 2009, at 4:27 PM, "Fouant, Stefan" > wrote: > >> Hi folks, >> >> I am trying to compile data on which providers are currently supporting >> BGP Flowspec at their edge, if there are any at all. The few providers >> I've reached out to have indicated they do not support this and have no >> intention of supporting this any time in the near future. I'm also >> curious why something so useful as to have the ability to advertise flow >> specification information in NLRI and distribute filtering information >> is taking so long to gain a foothold in the industry... > > Can you name 3 major vendors who support it? I suspect more providers would juniper... and when they dropped the IPR stuff other vendors basically walked away :( > offer it if there was vendor support. > Last I checked, at least one vendor was fighting mad over the thought of > supporting it. yes :( weee! poilitics! > >
Re: BGP FlowSpec support on provider networks
> I am trying to compile data on which providers are currently > supporting BGP Flowspec at their edge, if there are any at all. The > few providers I've reached out to have indicated they do not support > this and have no intention of supporting this any time in the near > future. I'm also curious why something so useful as to have the > ability to advertise flow specification information in NLRI and > distribute filtering information is taking so long to gain a foothold > in the industry... nLayer has offered flowspec support to customers for many years now. It's really quite simple to use and support too, if you happen to have a largely Juniper based network that is. I'm not aware of any other router vendor who currently supports it, but the loss is entirely theirs. We do have a fair bit of Crisco in the network, with Juniper primarily in the core and peering/transit edge, so we use a route-server to feed the flowspec routes into the Juniper core. Customers set up an ebgp multihop session with it, and can announce flowspec routes (or standard blackhole via bgp communities) for anything in their register prefix-list. It's also quite handy for distributing internal use packet filters too. As for why something so (insanely) useful is slow to be adopted... There are a few reasons, but mostly: 1) A healthy dose of inter-vendor politics. 2) A silly religious belief that bgp shouldn't be used to carry firewall information, and that some other protocol should be invented instead. I think the counter-argument to that is the ability to do inter-provider filtering is precisely why it should be done via bgp. and the success of the current implementation proves how well it works. 3) Another large network who shall remain nameless once used a third party flowspec speaking piece of software which shall also remain nameless, and managed to blackhole their entire network for a noticeable amount of time. As with anything combining the words "network wide protocol" and "packet filter", a healthy amount of user discretion is advised. -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: BGP FlowSpec support on provider networks
In my experience it's vendor support that is lacking, not provider support On Sat, Apr 11, 2009 at 6:08 AM, Fouant, Stefan wrote: > Hi folks, > > I am trying to compile data on which providers are currently supporting > BGP Flowspec at their edge, if there are any at all. The few providers > I've reached out to have indicated they do not support this and have no > intention of supporting this any time in the near future. I'm also > curious why something so useful as to have the ability to advertise flow > specification information in NLRI and distribute filtering information > is taking so long to gain a foothold in the industry... > > Stefan Fouant: NeuStar, Inc. > Principal Network Engineer > 46000 Center Oak Plaza Sterling, VA 20166 > [ T ] +1 571 434 5656 [ M ] +1 202 210 2075 > [ E ] stefan.fou...@neustar.biz [ W ] www.neustar.biz > >
Re: BGP FlowSpec support on provider networks
On Apr 10, 2009, at 4:27 PM, "Fouant, Stefan" wrote: Hi folks, I am trying to compile data on which providers are currently supporting BGP Flowspec at their edge, if there are any at all. The few providers I've reached out to have indicated they do not support this and have no intention of supporting this any time in the near future. I'm also curious why something so useful as to have the ability to advertise flow specification information in NLRI and distribute filtering information is taking so long to gain a foothold in the industry... Can you name 3 major vendors who support it? I suspect more providers would offer it if there was vendor support. Last I checked, at least one vendor was fighting mad over the thought of supporting it.
Re: BGP FlowSpec support on provider networks
Fouant, Stefan wrote: Hi folks, I am trying to compile data on which providers are currently supporting BGP Flowspec at their edge, if there are any at all. The few providers I've reached out to have indicated they do not support this and have no intention of supporting this any time in the near future. I'm also curious why something so useful as to have the ability to advertise flow specification information in NLRI and distribute filtering information is taking so long to gain a foothold in the industry... See ipv6 :)
Re: BGP FlowSpec support on provider networks
Fouant, Stefan wrote: > Hi folks, > > I am trying to compile data on which providers are currently supporting > BGP Flowspec at their edge, if there are any at all. The few providers > I've reached out to have indicated they do not support this and have no > intention of supporting this any time in the near future. I'm also > curious why something so useful as to have the ability to advertise flow > specification information in NLRI and distribute filtering information > is taking so long to gain a foothold in the industry... > Just FYI, but when you hit reply and change the subject, your message still shows up under the "Fiber cut in SF area" thread. Anyone who's ignoring that thread will not see your message. ~Seth