GRE performance over the Internet - DDoS cloud mitigation

Good day All,

I just want to raise the issue that has not been addressed so far by the
DDoS cloud mitigation providers, either in the always-ON solution or the
on-demand solution, a BGP session has to be established over a GRE tunnel
over the internet between the ISP/NSP/DC and the cloud scrubbing center,
the BGP/GRE are used for two main purposes; advertising the victim /24
subnet during the attack, and sending the traffic back to from the
scrubbing center to the provider.

The question is how can we guarantee the GRE/BGP performance (control
traffic) during the time between detection and mitigation?

Experts from Arbor, Prolexic(AKAMAI), Radware, Incapsula, (F5),
Verisign, nexus guard, neustar ......etc are most welcomed to give opinions.



"Only the best is good enough"

This is incorrect.

In most cloud overlay DDoS mitigation scenarios (e.g., end-customer obtains service from an MSSP which isn't providing them with transit), a) there is no BGP relationship whatsoever between the end-customer and the MSSP, and b) the GRE tunnel is used strictly for re-injection of clean traffic (i.e., post-mitigation) to the end-customer.

In some scenarios, DNS is also used in place of/in addition to BGP-based diversion.

But GRE is used for re-injection only.

Depends on what performance considerations you are trying to address,

The question is how can we guarantee the GRE/BGP performance (control
traffic) during the time between detection and mitigation?

GRE decapsulation?
IE: Hardware vs Software?
Routing of the Protocol over the internet?
IE: If the inbound path is saturated, what is the availability of the GRE
User-experience with GRE packet overhead?
IE: TCP Fragmentation causing PMTUD messages for reassembly?

I've worked at Prolexic for 7 years and now Akamai for 1.4 yrs, post

Immediately, I can think of multiple scenarios' (3) that come to mind on
how to solve any one of these categories.

Would you like to learn more? lol


I'm quite conversant with all these considerations, thanks.

OP asserted that BGP sessions for diversion into any cloud DDoS mitigation service ran from the endpoint network through GRE tunnels to the cloud-based mitigation provider. I was explaining that in most cloud mitigation scenarios, GRE tunnels are used for re-injection of 'clean' traffic to the endpoint networks.


Agreed, Ramy's scenario was not truly spot on, but his question still
remains. Perf implications when cloud security providers time to
detect/mitigate is X minutes. How stable can GRE transports and BGP
sessions be when under load?

In my technical opinion, this is a valid argument, which deems wide
opinion. Specifically, use-cases about how to apply defense in depth
logically in the DC vs Hybrid vs Pure Cloud.

Good topic, already some back-chatter personal opinions from Nanog lurkers!


Dennis B.