[134427] in North American Network Operators' Group
Re: Announcing the Community FlowSpec trial
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Jan 5 23:27:04 2011
In-Reply-To: <20110106005110.GF38726@gerbil.cluepon.net>
Date: Wed, 5 Jan 2011 23:26:21 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Richard A Steenbergen <ras@e-gerbil.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 5, 2011 at 7:51 PM, Richard A Steenbergen <ras@e-gerbil.net> wr=
ote:
> On Wed, Jan 05, 2011 at 05:46:36PM -0600, John Kristoff wrote:
>> Friends and colleagues,
>>
>> At NANOG 48 I talked about a community flow-spec service we were
>> looking at trying to make work. =A0This is the idea of using IETF RFC
>> 5575 to pass around flow-based rules, in this case, primarily for
>> dropping unwanted packets.
<snip>
> As a word of warning to anyone who wants to deploy this on their Juniper
> routers (what other router vendors support it? :P), there are some
> pretty serious performance considerations of which you should be aware.
>
> For example, we discovered that on MX routers (with classic I-chip DPCs,
> the performance should be somewhat better for Trio cards but we haven't
> fully tested the exact numbers yet), installing as few as a dozen
> flowspec routes can create firewall filters that use enough SRAM
'as few as a dozen' - of things like:
(forgive the hackery into cisco-ese)
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
or with port/protocol/flags/sizes/etc ?
(can you provide some examples of your dozen-or-so - give folk a
starting point in their testing)
-chris
