[164790] in North American Network Operators' Group
Re: nLayer IP transit
daemon@ATHENA.MIT.EDU (Mark Tees)
Thu Aug 1 17:12:10 2013
In-Reply-To: <20130801173053.GV67768@gerbil.cluepon.net>
From: Mark Tees <marktees@gmail.com>
Date: Fri, 2 Aug 2013 07:11:34 +1000
To: Richard A Steenbergen <ras@e-gerbil.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks for the replies.
I think I saw somewhere around the Cloudflare outage post someone mentioning=
that since the person at Juniper that was responsible for Flowspec left it a=
ll went down hill.
I take it then Flowspec is still used internally then? I am still wondering i=
f its best to avoid Flowspec and roll your own firewall rules applied via Ne=
tconf for transit interfaces to achieve the same sort of functionality.
On 02/08/2013, at 3:30 AM, Richard A Steenbergen <ras@e-gerbil.net> wrote:
> On Thu, Aug 01, 2013 at 10:00:49AM +1000, Mark Tees wrote:
>> Howdy listers,
>>=20
>> I remember reading a while back that customers of nLayer IP transit=20
>> services could send in Flowspec rules to nLayer. Anyone know if that=20
>> is true/current?
>=20
> We were forced to stop offering flowspec connections to customers, after=20=
> we started experiencing a rash of issues with it. Among other things, we=20=
> found ways for flowspec generated rules to easily cause non line-rate=20
> performance on Juniper MX boxes, and we had a couple of incidents where=20=
> customer generated routes were able to cause cascading failure behaviors=20=
> like crashing the firewall compiler processes across the entire network.
>=20
> I previously mentioned some of this here:
>=20
> http://mailman.nanog.org/pipermail/nanog/2011-January/030051.html
>=20
> There have also been a few other high profile outages caused by bugs in=20=
> the Juniper implementation, for example:
>=20
> https://support.cloudflare.com/entries/23294588-CloudFlare-Post-Mortem-fro=
m-Outage-on-March-3-2013
>=20
> As a concept I still very much like Flowspec, and wish we could continue=20=
> to offer it to customers, but as with any "new" routing protocol there=20
> are significant risks of network-wide impact if the implementation is=20
> not stable.
>=20
> IMHO Juniper has done a horrible job of maintaining support for Flowspec=20=
> in recent years, and has effectively abandoned doing the proper testing=20=
> and support necessary to run it in production. Until that changes, or=20
> until some other major router vendors pick it up and do better with it,=20=
> I don't expect to see any major changes in this position any time soon.
>=20
> --=20
> Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras=
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)=
