BGP Flowspec is a technique for distributing flow specification rules via BGP. It allows an ISP to dynamically distribute filtering and redirection rules to mitigate DDoS attacks. The document discusses several real-world use cases where BGP Flowspec was deployed to successfully block large DDoS attacks in a targeted manner without affecting legitimate traffic. However, interoperability between vendors and scalability challenges remain open issues requiring further work and testing.
Slides about DDoS detection tool. IPFIX, sFlow, Netflow support. Instant detection. Complete API and command line tools.
Free trial: https://fastnetmon.com/trial/
Slides about DDoS detection tool. IPFIX, sFlow, Netflow support. Instant detection. Complete API and command line tools.
Free trial: https://fastnetmon.com/trial/
Mobile Transport Evolution with Unified MPLSCisco Canada
Mobile Service Providers are seeing unprecedented challenges in relation to their Transport architectures with the 3GPP evolution towards IP based Node Bs, LTE (Long Term Evolution) and LTE-Advanced. This presentation will initially discuss the network migration trends and factors that are changing how mobile networks are evolving. A description is provided on Unified MPLS and the current issues that need to be fixed and how this architecture addresses this. A more detailed analysis will then examine the options available for transporting GSM/2G, UMTS/3G traffic and IP/Ethernet Node B deployments and some of factors that need consideration like scalability, resiliency and security. Finally, there is a detailed description of the LTE/LTE - A evolution and the feature requirements made on the transport network. There will be detailed analysis of different LTE models and also some technical enhancements and proposals considered for the implementation of LTE in a Unified MPLS environment.
Tutorial: Using GoBGP as an IXP connecting routerShu Sugimoto
- Show you how GoBGP can be used as a software router in conjunction with quagga
- (Tutorial) Walk through the setup of IXP connecting router using GoBGP
Mobile Transport Evolution with Unified MPLSCisco Canada
Mobile Service Providers are seeing unprecedented challenges in relation to their Transport architectures with the 3GPP evolution towards IP based Node Bs, LTE (Long Term Evolution) and LTE-Advanced. This presentation will initially discuss the network migration trends and factors that are changing how mobile networks are evolving. A description is provided on Unified MPLS and the current issues that need to be fixed and how this architecture addresses this. A more detailed analysis will then examine the options available for transporting GSM/2G, UMTS/3G traffic and IP/Ethernet Node B deployments and some of factors that need consideration like scalability, resiliency and security. Finally, there is a detailed description of the LTE/LTE - A evolution and the feature requirements made on the transport network. There will be detailed analysis of different LTE models and also some technical enhancements and proposals considered for the implementation of LTE in a Unified MPLS environment.
Tutorial: Using GoBGP as an IXP connecting routerShu Sugimoto
- Show you how GoBGP can be used as a software router in conjunction with quagga
- (Tutorial) Walk through the setup of IXP connecting router using GoBGP
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Bruno Teixeira
With the changing paradigm of network programmability using Software Defined Network (SDN), we are seeing new ways for monitoring, scaling and configuring network devices. With new network programability capabilities utilizing NETCONF, OpenFlow, BGP-LS, and PCEP it is vital for network architects and operations engineers to understand how these SDN related technologies can be leveraged to streamline the way we view, design, and operate our networks today. This session introduces these concepts and focuses on the use cases, implementation, and troubleshooting of these technologies on the ASR9000 platform.
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
(This was a Live Webinar on July 21, 2016 at 10:00 am Pacific Time / 1:00 pm Eastern Time)
Watch the Replay at: bit.ly/29Mw58Q
Catch the original TV episode or any other topics at www.techwisetv.com
Description:
Networks are moving toward simplification, increased operational efficiency, and programmability using technologies such as software-defined networking. Cisco continues to demonstrate innovation by introducing the concept of segment routing in the data center, making the network more intelligent and adaptive to the applications running on top of it. Segment routing delivers application-optimized network transport. Encoding the path information directly at the source (that is, either at the virtual switch or at the top of rack) and using per-app policies, segment routing puts control in the hands of the network operators by empowering them to create secure, adaptive, and optimal paths based on the requirements of the application itself.
Please join us in the session to learn how Cisco is helping organizations increase network efficiency by allocating resources on demand and optimizing the network to better support business-critical applications, all while preserving security.
Agenda
Topics to discuss include:
- Introducing segment routing
- Why the need for application-optimized transport
- Features and benefits of segment routing
- Differences between segment routing and MPLS transport
- Relevance of segment routing in the data center
- Use cases and applicability of segment routing
- Summary and conclusion
Krzysztof Mazepa (Cisco Systems Poland) – architekt sieci / konsultant pracujący z najwiekszymi polskimi operatorami przewodowymi i kablowymi. Jego misją jest „tłumaczenie” wymogów businessowych klientów na oferowane rozwiązania technologiczne. Jego duże doświadczenie, 16 lat pracy w środowisku operatorskim, pozwala mu dostrzeć specyficzne wymagania tego rynku i zaproponować oczekiwane rozwiązanie.
Krzysztof jest częstym prelegentem na konferencjach PLNOG (Polish Network Operator Group), Cisco Forum, EURONOG (European Network Operator’s Group) oraz Cisco Live.
Posiada certyfikaty CCIE (Cisco Certified Internetwork Expert) #18 662, JNCIE (Juniper Networks Certified Internet Expert) #137, VMware Certified Professional 4 #99432 i wiele innych.
Krzysztof jest mieszkańcem Warszawy, w wolnym czasie ćwiczy biegi długodystansowe oraz gra w tenisa.
Temat prezentacji: BGP FlowSpec
Język prezentacji: Polski
Abstrakt: Celem sesji jest pokazanie podstaw działania BGP FlowSpec. Przedstawione zostaną podstawy teoretyczne oraz sposób wykorzystania przez operatorów SP do eliminowania ataków DDoS. Działanie rozwiązania zostanie zaprezentowane w wirtualnym środowisku korzystając z oprogramowania IOS XRv.
At Microsoft’s annual developers conference, Microsoft Azure CTO Mark Russinovich disclosed major advances in Microsoft’s hyperscale deployment of Intel field programmable gate arrays (FPGAs). These advances have resulted in the industry’s fastest public cloud network, and new technology for acceleration of Deep Neural Networks (DNNs) that replicate “thinking” in a manner that’s conceptually similar to that of the human brain.
Watch the video: http://wp.me/p3RLHQ-gNu
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
High-performance 32G Fibre Channel Module on MDS 9700 Directors:Tony Antony
To better serve the new application requirements, Cisco is introducing a New high-performance Analytics ready 32G Fibre Channel Module on MDS 9700 Directors and a new 32G Host Bus Adapter for UCS C-series. The end to end 32G FC support across Cisco DC platforms set new standards for Storage Networking providing customers with choice. Along with this announcement, Cisco is also announcing NVMe over Fabric support on MDS 9000 Series enabling customers to take advantage of the performance and low latency benefits offered by the new technology to scale efficiently in the post-flash environments.
BGP: Whats so special about the number 512?GeoffHuston
It was reported that parts of the Internet crashed when the number of routes in the Internet's Inter-domain routing table (BGP) exceeded 512K routes. This presentation looks at the growth of the Internet's routing table and how this correlates to the capacity and speed of memory in hardware routers.
Dataplane networking acceleration with OpenDataplane / Максим Уваров (Linaro)Ontico
HighLoad++ 2017
Зал «Москва», 7 ноября, 13:00
Тезисы:
http://www.highload.ru/2017/abstracts/2909.html
OpenDataPlane (ODP, https://www.opendataplane.org) является open-source-разработкой API для сетевых data plane-приложений, представляющий абстракцию между сетевым чипом и приложением. Сейчас вендоры, такие как TI, Freescale, Cavium, выпускают SDK с поддержкой ODP на своих микросхемах SoC. Если проводить аналогию с графическим стеком, то ODP можно сравнить с OpenGL API, но только в области сетевого программирования.
...
Comparision between the most common routing protocols used by a networking geek in a largescale environment.Gives a detailed view into its application and advantages. Credited to Lucent technologies project documentation.
LinkedIn's Approach to Programmable Data CenterShawn Zandi
Highly available and tunable control planes are difficult to build and manage. Is there an alternate way to build a control plane for cloud scale fabrics that will reduce operational expense (coming as close to zero touch provisioning as possible), while allowing the network to be tuned in near real time based on telemetry and application requirements? LinkedIn is currently working on such a control plane, starting from the concept of layering different control plane functionality. This talk will provide an overview of the functional division, consider some tools which can be used to meet each, and the consider the resulting operational profile.
Introducing Application Engineered Routing Powered by Segment RoutingCisco Service Provider
Application-Engineered Routing
Application programs the Segment Routing network to deliver end-to-end per-flow policy from DC through WAN to end-user
Adding value at your own pace
– Leveraging the existing MPLS dataplane without any change. SW upgrade only.
– Simplification, Automated 50msec FRR, per-domain and then end-to-end policies
Economic gains
– Improved service richness and velocity
– Optimized CAPEX and OPEX thanks to the simplicity of the SR architecture
Segment Routing deployments in CY15 in all the markets – WEB, SP, Entreprise
Strong partnership with lead operator group Commitment to standardization and multi-vendor support

Similar to BGP Flowspec (RFC5575) Case study and Discussion (20)
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
2. • BGP Flowspec Overview
• BGP Flowspec case study
• JANOG35 Q&A
Agenda
3. DDOS Traffic are always changing…
http://www.digitalattackmap.com/
4. Affect of DDOS attack
Customer
aggregation
node/line
Bandwidth of Backbone
Customer
line/node/servic
e
Target
Service
203.0.113.1
The affect would be all of network wide…
5. RTBH(Remote Triggered Black Hole Filtering)
Target
Service
203.0.113.1
203.0.113.1 via
192.0.2.1
192.0.2.1 null0
203.113.1 192.0.2.1
192.0.2.1 null0
203.113.1 192.0.2.1
192.0.2.1 null0
203.113.1 192.0.2.1
• RTBH(RFC5635) is well known technic in ISP
• static route to null(Black hole) preliminarily
• If incidence happen then BGP advertises route
• DDOS traffic will be stopped
6. Netflow+BGP Attribute
Why BGP Flow Specification will be needed
Non DDOS user also would be stopped.
It is difficult to discover/ attempt rule against DDOS
attack which rapidly change and increasing
7. BGP Flowspec(RFC5575)+draft-ietf-idr-flow-spec-v6
Dst IP
Src IP
protocol
port
Dst port
Src Port
ICMP Type
ICMP Code
TCP Flags
Packet Length
DSCP
Fragment
traffic-rate
traffic-action
redirect
traffic-marking
Flow Type Action Rule
+---------------------------------------------------------+
| AFI(2 octets) 1 and 2 |
+---------------------------------------------------------+
| SAFI (1 octet) 133 and 134 |
+---------------------------------------------------------+
| Length of Next Hop Network Address (1 octet) |
+---------------------------------------------------------+
| Network Address of Next Hop (variable) |
+---------------------------------------------------------+
| Reserved (1 octet) |
+---------------------------------------------------------+
| Network Layer Reachability Information (variable) |
+---------------------------------------------------------+
SAFI
133 Dissemination of flow specification rules
134 L3VPN dissemination of flow specification rules
BGP Flowspec defined in RFC5575. draft-ietf-idr-flow-spec-v6 for IPv6 BGP Flowspec
Flow type to identify traffic , Action Rule to execute policy against the traffic
“Flow Type” and “Action Rule” will be advertised by BGP update
9. • BGP Flowspec Overview
• BGP Flowspec case study
• JANOG35 Q&A
Agenda
10. • DDOS Problem
• Affect Large/Often to end user
• Not only end user but also Infrastructure Risk
• OPEX increase
• DDoS Analysis
• Large DDOS attack by botnet armies/Script Kiddies
• TCP Syn Flood greater than 1Mpps
• UDP fragment
• Most of Attack source APNIC(Chinese) IP source , difficult to track due to national NAT
• Deployed Flowspec for Peer & Transit router from RR
• Mitigation from egress point to cleaning vrf
• What was missing ?
• Multi vendor support (deployed Juniper and Arbor)
• Inter-Carrier
• Matching DSCP
Flowspec Use case 1 world wide
Time Warner Telecom (TWTC) NANOG38 2006
Deployment Experience With BGP Flow Specification
https://www.nanog.org/meetings/nanog38/presentations/labovitz-bgp-flowsp
11. • Compare RTBH/PBR and Flowspec
• RTBH(Remote Triggered Black Hole)
Website can protect from DDOS attack, but no more traffic on website
• PBR(Policy Based Routing)
Can control traffic precisely by hardware
But need contact to service provide operator to run/remove policy when ddos detect
• Flowspec
Makes static PBR to dyanmic/Propagate PBR rules/do no need additional communication channel
• Deployed Flowspec on transit router
Would like to use on eBGP as architecture but can not trust customer/don’t like to use flow for ebgp session for
stability reason
• What’s Next
• IPv6 and VPNv6 support
• Traffic Monitoring
• More vendors(only Juniper and Alcatel support at that time)
Flowspec Use case 2 world wide
Neo Telecoms FRNOG18 2011
Flowspec
http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf
12. • Background
• Attacker use zombies, if number of army of zombies then DDOS traffic will be
massive (ex. DNS amp)
• Need Better tools
- Granularity : per flow
- Action : drop/rate-limit/redirect,
- Speedy/ Efficiency / Automation / Manageability
• Deployed FireCircle
• Wizard based UI to define policy from customer
• Apply XML configuration to BGP flowspec router via NETCONF
• eBGP flowspec propagate policy to GRNET router
• Expanding the service to GEANT community
https://fod.grnet.gr/
Flowspec Use case 3 world wide
GRNET(Greek Research and Technology Network) TNC2012
FireCircle: GRNET’s approach to advanced network security services’
management via bgp flow-spec and NETCONF
https://tnc2012.terena.org/core/presentation/41
NETCONF
FireCircle
GRNET
GEANT
Participant
NREN
13. • DDOS Volume(average)
• JAPAN Q2:491.63Mbps Q3:365.8Mbps
• Asia Q2:530.5Mbps Q3:588.74Mbps
• World Wide Q2:759.83Mbps Q3:858.98Mbps
• NTP Amp trend(average volume)
• JAPAN Q2:3.22Gbps Q3:281.76Mbps
• Asia Q2:2.57Gbps Q3:2.70Gbps
• Attack Duration
• 92% DDOS stops within 1hour
• JAPAN: >1hour 92% average 3h21m
• Asia: >1hour 94.1% average 31m
• Professional DDOS service is exist
ex)5min free 4$/hour
Atlas DDOS Trend report
Services UDP
Source Port
Q3
Maximum
DDOS Volume
Q3
Average
DDOS Volume
SNMP 161 3.75Gbps 769.1Mbps
Chargen 19 21.26Gbps 1.12Gbps
DNS 53 43.45Gbps 1.31Gbps
SSDP 1900 51Gbps 5.11Gbps
• What’s Next
• NTP Amp attack can create big volume.
• So Attacker using other protocol.
• SSDP(1900) is increasing
http://www.janog.gr.jp/meeting/janog35/files/2014/2077/3840/janog35-bgpfs-agatsuma-1.pdf
14. • ISP who is interesting in BGP Flowspec
• Amp attack are increasing under 5%-> over 70%
• and valuable
• Src 53 Dst 0/Src 123/Src 1900/Dst 80
Flowspec Use case 1
Protect Method For Point If Flowspec deployed
RTBH rapid action protect short duration DDOS more specific flow
can use policer for DDOS amp
ACL permanent action flexible/need time to deploy to be rapidly/manage acl rule
Mitigation premier service expensive would be effective
15. • ISP who already deployed by Juniper
• and would like to deploy to be more wide by Cisco
• Flowspec is very useful feature against today’s DDOS, but one consideration
point is scalability spec of forwarding router
• Rule was too long, so forwarding router could not apply filter as the result not
only DDOS but also normal traffic down
Flowspec Use case2
DDOS detect/BGP update send Rule was too long for forwarding router, cold not apply filter
16. • BGP Flowspec Overview
• BGP Flowspec case study
• JANOG35 Q&A
Agenda
17. • JANOG had a session of BGP Flowspec in JANOG35
Shishio Tsuchiya Cisco Systems G.K.
Shojiro Hirasawa BIGLOBE Inc.
Satoshi Agatsuma TOYO Corporation
http://www.janog.gr.jp/en/index.php?JANOG35_Meeting%2FJANOG35_Program_Contents%2FBGPFS
http://www.janog.gr.jp/meeting/janog35/program/bgpfs/
• Share question/discussion on JANOG35 meeting
Discussion summary
18. • Let’s confirm in detail for RFC and IETF WG draft.
Q1. Does Flowspec really useful?
Typ
e
IPv4
(RFC5575)
IPv6
(flow-spec-v6)
1 Destination Prefix Destination IPv6 Prefix
2 Source Prefix Source IPv6 Prefix
3 IP Protocol Next Header
4 Port Port
5 Destination port Destination port
6 Source port Source Port
7 ICMP type ICMP type
8 ICMP code ICMP type
9 TCP flags TCP flags
10 Packet length Packet length
11 DSCP DSCP
12 Fragment Fragment
13 N/A Flow Label
Flow Type has operator code which can
specify lt(less than) gt(grater than)
eq(equal) .
19. • Most of action rule is defined both IPv4 and IPv6.
• But redirect IP seems confusing , should watch idr wg activity
Q1. Does Flowspec really useful? cont’d
type extended community Actual Action RFC/draft
0x8006 traffic-rate Policing rate
0:drop
RFC5575
0x8007 traffic-action specific acction
Terminal bit:(0 is terminal)
Sample bit:(1 is logging/sampling)
RFC5575
0x8008
0x8208
0x800b
redirect AS-2byte
redirect AS-4byte
redirect IPv6 specific AS
redirect to specific vrf flowspec-redirect-rt-bis
flowspec-redirect-rt-bis
flow-spec-v6
0x8108 redirect IPv4 address
redirect IPv6 address
redirect to next hop address
redirect to next hop address
flowspec-redirect-rt-bis
flowspec-redirect-ip
flowspec-redirect-ip
0x8009 traffic-marking marking DSCP values flowspec-redirect-rt-bis
flow-spec-v6
21. Q2. How about interoperability in multi vendor?
Cisco IOS Cisco IOS-XR JNPR
JUNO
S
ALU
SR-OS
Arbor Genie
Cisco
IOS
Cisco
IOS-
XR
JNPR
JUNOS
ALU
SR-OS
Arbor
Genie
• There is some intorop report but may need more interop test to deploy ISP network
22. Q3.Flow is really enough to monitor ISP traffic?
DDOS Traffic
Normal Traffic
Inline type model offramp model
need many equipment to monitor all
of subscribers
can use shared resource
have to monitor huge traffic only suspect traffic will transit to
mitigation
when mitigation fail, the failed
equipment should just transit traffic
when mitigation fail, then advertise
BGP to change rule
offramp solution
would be reasonable
23. • Today’s most of mobile carrier deployed CGN as solution of IPv4 exhaustion problem.
• Malware/DDOS tool of android already exist.
• Flow based filtering will be more importance to reduce side affect of DDOS
Q4.How is DDOS on mobile network?
Global Address Global
Address
RFC6598 ISP Shared Address
or
RFC1918 Private Address
24. • It’s depends on router architecture.
APNIC38 Geoff Huston (APNIC) - What's so special about 512?
APRICOT2012 Greg Hankins, Brocade Pushing the Limits, A Perspective on Router Architecture Challenges
• Usually QoS/PBR is used on TCAM, so performance impact would
be minimize .
Q5.Performance issue?
https://supportforums.cisco.com/document/105496/asr9000xr-understanding-route-scale
25. • Flowspec should work in eBGP peer. But eBGP validation rule for received route should be relaxed.
• On transit AS/Router server on IXP, it would be desirable service. Because if one AS sends DDOS then
affects to another AS.
• Validation rule should be relax so maybe we should consider co-exist solution with RPKI to be more
powerful security solution.
• Should check “Revised Validation Procedure for BGP Flow Specifications” draft-ietf-idr-bgp-flowspec-oid
Q6.eBGP Use case?
ROA
Transit AS Route Server on IXP
co-Exist with RPKI
26. • There is Openflow DDOS protection solution.
• Hybrid OF use TCAM also.
• Difference point are network architecture(full distributed vs controller)
and API(OF vs BGP)
Q7.How is OpenFlow DDOS solution?
27. • Current DDOS are high volume/short duration/amp attack variable
and increasing
• BGP Flowspec is useful solution against today’s DDOS attack
• BGP Flowspec is almost ready to deploy in ISP network.
• Need detail implementation information of each of
vendors(scalability/nexthop address/IPv6) and interoperability test
result.
• eBGP should work and customer may desire on-demand
Firewall/PBR services like a FireCircle.
Summary