[189039] in North American Network Operators' Group
Re: BGP FlowSpec
daemon@ATHENA.MIT.EDU (Danny McPherson)
Mon May 2 09:58:21 2016
X-Original-To: nanog@nanog.org
Date: Mon, 02 May 2016 09:54:12 -0400
From: Danny McPherson <danny@tcb.net>
To: Martin Bacher <ti14m028@technikum-wien.at>
In-Reply-To: <108D89EF-9A19-4E77-A7F3-356C44411D89@technikum-wien.at>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 2016-05-02 09:48 AM, Martin Bacher wrote:
>
> So filtering as precise as possible and as close as possible to the
> attack source is maybe the best option we have at the moment.
That was precisely my point! If an upstream isn't filtering at their
ingress (or their egress) the optimal place for me to filter is at my
ingress. Of course I'd rather have something akin to inter-domain
pushback or FlowSpec, etc.. But you can't control how, or assume others
will act on that.
-danny
