Friends and colleagues,
At NANOG 48 I talked about a community flow-spec service we were
looking at trying to make work. This is the idea of using IETF RFC
5575 to pass around flow-based rules, in this case, primarily for
dropping unwanted packets.
This technology is not as widely deployed as traditional RTBH
techniques for a number of reasons. However, we thought perhaps it
was widely used enough, or could be, to justify what might be a
helpful and free 3rd party feed of flow-spec routes to keep our
networks a little bit cleaner.
A trial of this feed based on the traditional bogon routes can be had
by contacting me directly. We realize the traditional IPv4 reserved,
special and unallocated IPv4 bogon address is dwindling. Maybe there
is room for some other type of feed, but to justify that, we're looking
to see if even enough people would set up this presumably simpler feed
to help us and the community get some more experience with multi-hop
flow-spec.
Details in getting it up and running in your own test networks are here:
<http://www.cymru.com/jtk/misc/community-fs.html>
John
As a word of warning to anyone who wants to deploy this on their Juniper
routers (what other router vendors support it? :P), there are some
pretty serious performance considerations of which you should be aware.
For example, we discovered that on MX routers (with classic I-chip DPCs,
the performance should be somewhat better for Trio cards but we haven't
fully tested the exact numbers yet), installing as few as a dozen
flowspec routes can create firewall filters that use enough SRAM
accesses that you will no longer be able to achieve line rate
packets/sec. With a few more rules, you may find that your 10GE's will
only be able to handle 3-5Mpps instead of the normal 14.8Mpps. When this
happens, excess traffic above what the firewall filters can handle will
be silently discarded, with no indicaton in SNMP or "show interface"
that you're dropping packets (though you may be able to see it in "show
pfe statistics traffic" as Info cell drops).
I can't tell you what the performance numbers are for other platforms,
but anyone thinking about turning on flowspec from a third party source
(especially one who may be sending them a large number of rules) should
give serious consideration to the potential impact on their network
first.
Friends and colleagues,
At NANOG 48 I talked about a community flow-spec service we were
looking at trying to make work. This is the idea of using IETF RFC
5575 to pass around flow-based rules, in this case, primarily for
dropping unwanted packets.
<snip>
As a word of warning to anyone who wants to deploy this on their Juniper
routers (what other router vendors support it? :P), there are some
pretty serious performance considerations of which you should be aware.
For example, we discovered that on MX routers (with classic I-chip DPCs,
the performance should be somewhat better for Trio cards but we haven't
fully tested the exact numbers yet), installing as few as a dozen
flowspec routes can create firewall filters that use enough SRAM
'as few as a dozen' - of things like:
(forgive the hackery into cisco-ese)
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
or with port/protocol/flags/sizes/etc ?
(can you provide some examples of your dozen-or-so - give folk a
starting point in their testing)
-chris