nanog mailing list archives
Re: Request comment: list of IPs to block outbound
From: Saku Ytti <saku () ytti fi>
Date: Tue, 22 Oct 2019 13:54:05 +0300
On Mon, 21 Oct 2019 at 23:14, <adamv0025 () netconsultings com> wrote:
The obvious drawback especially for TCAM based systems is the scale, so not only we'd need to worry if our FIB can hold 800k prefixes, but also if the filter memory can hold the same amount -in addition to whatever additional filtering we're doing at the edge (comb filters for DoS protection etc...)
This is actually somewhat cheap problem, if you optimise for it. That is rules are somewhat expensive, but N prefixes per rule are not, when designed with that requirement. Certainly the BOM effect can be entirely ignored. However this is of course only true if that was design goal, won't help in a situation where HW is in place and doesn't not scale there. Just pointing out that there are no technical or commercial problems getting there, should we so want. -- ++ytti
Current thread:
- Re: Request comment: list of IPs to block outbound, (continued)
- Re: Request comment: list of IPs to block outbound Vincent Bernat (Oct 13)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 15)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 18)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 18)
- Re: Request comment: list of IPs to block outbound Chris Jones (Oct 18)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 18)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 19)
- Re: Request comment: list of IPs to block outbound Lukas Tribus (Oct 20)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 20)
- RE: Request comment: list of IPs to block outbound adamv0025 (Oct 21)
- Re: Request comment: list of IPs to block outbound Saku Ytti (Oct 22)
- RE: Request comment: list of IPs to block outbound adamv0025 (Oct 22)