[189057] in North American Network Operators' Group
Re: BGP FlowSpec
daemon@ATHENA.MIT.EDU (Martin Bacher)
Mon May 2 18:15:01 2016
X-Original-To: nanog@nanog.org
From: Martin Bacher <ti14m028@technikum-wien.at>
In-Reply-To: <27975276-515D-4DBE-98BA-96BAD63E25B7@arbor.net>
Date: Tue, 3 May 2016 00:13:19 +0200
To: Roland Dobbins <rdobbins@arbor.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> Am 02.05.2016 um 23:38 schrieb Roland Dobbins <rdobbins@arbor.net>:
>=20
> On 2 May 2016, at 20:16, Martin Bacher wrote:
>=20
>> However, Tier 1s and most probably also some of the Tier 2s may not =
want to offer it to customers because they are loosing money if less =
traffic is sent downstream on IP-Transit links.
>=20
> I will go a step further than Danny's comments and state that this is =
categorically and demonstrably untrue.
>=20
> Many of the quite large 'Tier-1' and 'Tier-2' (using the old =
terminology) operators on this list offer commercial DDoS mitigation =
services making use of technologies like D/RTBH, S/RTBH, IDMS, et. al. =
due to customer demand. They need these capabilities in order to defend =
their own properties and assets, and they are also offering them to =
end-customers who want and need them.
>=20
> In point of fact, it's becoming difficult to find one which *doesn't* =
offer this type of service.
It was not meant to be a general statement that they are not offering =
anti DDoS services in whatever flavor. But you usually just get what you =
pay for. Furthermore, my statement was related to inter-AS BGP-FS and =
that providers may not offer it to customers but use in instead for =
traffic remarking to something like worse than best effort and still =
forwarding it to a customer under attack if he is not paying extra fees =
for DDoS mitigation. That does not mean that the ISP does not help on =
request or deploys countermeasures if its own infrastructure or other =
customers are suffering from that attack. But he may not perform any =
mitigation (except for the own protection) by default.=20
>=20
> There were a couple of situations in the first half of the first =
decade of this millennium where operators took this attitude. But they =
changed their tunes pretty rapidly once they themselves were impacted, =
and once they started losing customers because they couldn't and =
wouldn't protect them.
>=20
> And as Danny notes, these technologies are all tools in the toolbox. =
NFV and 'SDN' have tremendous potential to make it a lot easier to bring =
mitigation resources to bear in a dynamic and optimal fashion within =
single spans of administrative control; and there are standards-based =
efforts underway to provide for a higher degree of automation, increased =
rapidity of response, and interoperability in both inter- and =
intra-network DDoS mitigation scenarios.
Sounds nice. Looking forward to see that implemented on a large scale in =
inter-AS setups. But I am not sure if this will really happen.=20
>=20
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
