Re: BGP FlowSpec

[Martin Bacher <ti14m028 () technikum-wien at>]

> Am 02.05.2016 um 23:38 schrieb Roland Dobbins <rdobbins () arbor net>:
>
> On 2 May 2016, at 20:16, Martin Bacher wrote:
>
> > However, Tier 1s and most probably also some of the Tier 2s may not want to offer it to customers because they are 
> > loosing money if less traffic is sent downstream on IP-Transit links.
>
> I will go a step further than Danny's comments and state that this is categorically and demonstrably untrue.
>
> Many of the quite large 'Tier-1' and 'Tier-2' (using the old terminology) operators on this list offer commercial 
> DDoS mitigation services making use of technologies like D/RTBH, S/RTBH, IDMS, et. al. due to customer demand.  They 
> need these capabilities in order to defend their own properties and assets, and they are also offering them to 
> end-customers who want and need them.
>
> In point of fact, it's becoming difficult to find one which *doesn't* offer this type of service.
It was not meant to be a general statement that they are not offering anti DDoS services in whatever flavor. But you 
usually just get what you pay for. Furthermore, my statement was related to inter-AS BGP-FS and that providers may not 
offer it to customers but use in instead for traffic remarking to something like worse than best effort and still 
forwarding it to a customer under attack if he is not paying extra fees for DDoS mitigation. That does not mean that 
the ISP does not help on request or deploys countermeasures if its own infrastructure or other customers are suffering 
from that attack. But he may not perform any mitigation (except for the own protection) by default. 


> There were a couple of situations in the first half of the first decade of this millennium where operators took this 
> attitude.  But they changed their tunes pretty rapidly once they themselves were impacted, and once they started 
> losing customers because they couldn't and wouldn't protect them.
>
> And as Danny notes, these technologies are all tools in the toolbox.  NFV and 'SDN' have tremendous potential to make 
> it a lot easier to bring mitigation resources to bear in a dynamic and optimal fashion within single spans of 
> administrative control; and there are standards-based efforts underway to provide for a higher degree of automation, 
> increased rapidity of response, and interoperability in both inter- and intra-network DDoS mitigation scenarios.
Sounds nice. Looking forward to see that implemented on a large scale in inter-AS setups. But I am not sure if this 
will really happen. 

> -----------------------------------
> Roland Dobbins <rdobbins () arbor net>