Re: DDoS Mitigation Survey

["Dobbins, Roland" <Roland.Dobbins () netscout com>]

On 15 Jan 2020, at 6:37, Lumin Shi wrote:

> What we meant by "may not have necessary capacity" is that routers do 
> not
> have enough CAM/TCAM space to deploy/install ACLs, BGP FlowSpec rules
> against large-scale DDoS attacks without 1) incurring major collateral
> damage (e.g., deploy /16 source-based rules instead of /32 so that 
> more
> DDoS traffic can be filtered while using less CAM/TCAM space), or 2)
> performance penalties that are introduced by deploying more filters 
> than a
> router's data plane can support (i.e., data plane to control plane I/O
> limitation).

We can agree that nothing is infinite, nothing is free. TANSTAAFL.

Nevertheless, despite the fact that TCAM space is neither infinite nor 
free, and while they aren't free in terms of performance, ACLs — 
whether installed statically or dynamically via flowspec rules — are 
used every second of every minute of every hour of every day to mitigate 
large-scale DDoS attacks on large networks.

Features do indeed contend for TCAM space, and of course operators want 
as much as is practicable. LOU expansion can affect how much TCAM space 
a given ACL consumes on a given ASIC/linecard/platform.  On hardware 
platforms from major vendors, TCAM space can often be carved to allocate 
features, and operators do this in order to allocate more space for ACL 
stanzas, or flowspec rules, or whatever.

However, as demonstrated above, your thesis as stated is overbroad and 
directly contradicted by operational reality.

A key point is that operators must understand the performance envelopes 
and characteristics of their infrastructure gear, so that they can avoid 
causing issues by overtaxing it.

Here is a particular .pdf presentation which discusses issues of this 
nature:

<https://app.box.com/s/xznjloitly2apixr5xge>

You are not wrong to posit that hardware capacity and capabilities are 
neither infinite nor free.  But that has been well-understood in the 
operational community for a long time, and is neither novel nor 
particularly insightful.  It certainly isn't a topic that one would 
imagine merits formal academic investigation, given that it's a 
commonplace amongst those involved in the operational community.

It just isn't an interesting topic, in and of itself.  Something broader 
in terms of operator perception of gaps across the gamut of required 
DDoS mitigation capabilities at scale would potentially be of more 
value.

Please feel free to contact me 1:1 to discuss further, if you like.

--------------------------------------------
Roland Dobbins <roland.dobbins () netscout com>