nanog mailing list archives
Re: NANOG Digest, Vol 90, Issue 1
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Wed, 08 Jul 2015 22:26:22 +0700
On 8 Jul 2015, at 21:26, Ramy Hashish wrote:
I am very happy because somebody is on the same page.
This is not what you were asking about in your original post on this topic - you were talking about BGP sessions inside GRE tunnels, which is not how most (any?) DDoS mitigation services operate, to my knowledge.
GRE is used over the Internet for many different applications, including post-DDoS-mitigation re-injection of legitimate traffic onwards to the server/services under protection. Hardware-based GRE processing is required on both ends for anything other than trivial speeds; in general, the day of software-based Internet routers is long gone, and any organization still running software-based routers on their transit/peering edge is at risk.
DDoS mitigation providers using GRE for re-injection should set the MTU on their mitigation center diversion interfaces to 1476, and MSS-clamping on those same interfaces to 1436, as a matter of course.
This is not a new model; it has been extant for many years. There are a variety of overlay and transit-focused DDoS mitigation service providers who utilize this model. In your original post on this topic, you also made the assertion that these issues had not been addressed by DDoS mitigation service operators; that assertion is incorrect.
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: NANOG Digest, Vol 90, Issue 1 Ramy Hashish (Jul 08)
- Re: NANOG Digest, Vol 90, Issue 1 Roland Dobbins (Jul 08)
- Re: NANOG Digest, Vol 90, Issue 1 Roland Dobbins (Jul 08)
- Re: NANOG Digest, Vol 90, Issue 1 Dennis B (Jul 17)
- Re: NANOG Digest, Vol 90, Issue 1 Watson, Bob (Jul 17)
- Re: NANOG Digest, Vol 90, Issue 1 Roland Dobbins (Jul 08)
- Re: NANOG Digest, Vol 90, Issue 1 Roland Dobbins (Jul 08)