[180609] in North American Network Operators' Group
Re: GRE performance over the Internet - DDoS cloud mitigation
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Mon Jun 8 07:25:22 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: nanog@nanog.org
Date: Mon, 08 Jun 2015 18:25:14 +0700
In-Reply-To: <CAOLsBOuJ5O=EOgmCgp8dm5=fHQ3hJP4Nw-hc=mJGSZNuLuoR3A@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 8 Jun 2015, at 17:57, Ramy Hashish wrote:
> a BGP session has to be established over a GRE tunnel over the
> internet between the ISP/NSP/DC and the cloud scrubbing center,
This is incorrect.
In most cloud overlay DDoS mitigation scenarios (e.g., end-customer
obtains service from an MSSP which isn't providing them with transit),
a) there is no BGP relationship whatsoever between the end-customer and
the MSSP, and b) the GRE tunnel is used strictly for re-injection of
clean traffic (i.e., post-mitigation) to the end-customer.
In some scenarios, DNS is also used in place of/in addition to BGP-based
diversion.
But GRE is used for re-injection only.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
