Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] Another service option

Subject: Internet2 Network Security SIG

List archive

[Security-WG] Another service option


Chronological Thread 
  • From: "Magorian, Daniel F." <>
  • To: "" <>
  • Subject: [Security-WG] Another service option
  • Date: Thu, 17 Sep 2015 21:12:17 +0000
  • Accept-language: en-US

Apologies if I missed discussion of this option before in this WG.

At the end of the Incapsula call today, Steve mentioned several forms for the
service offering, particularly NET+. That's fine, but there's also another
option, namely:

Internet2 procures Arbor, A10, or other on-prem COTS scrubber boxes, and
offers bgp-redirection off-prem scrubbing as a service to members themselves.


Before discarding this approach immediately, consider the pros and cons:

Pros:

bgp-redirection off-prem scrubbing services by companies like Arbor are done
with their own boxes, so what they're really doing is selling you one and
leasing you time on others, and

DDoS mitigation is expensive, typically ~$100-200k/yr or more for a typical
enterprise. Many I2 members aren't budgeted for this, or can't get the
project approved because they haven't been the victims of a big attack
before. So when one happens, all they can do is black hole the targets' /32
routes to dump the traffic so the rest of their network's back on the air.
Then they find the big budget for bgp-redirection off-prem service the next
year.

Doing bgp redirection of members traffic to and setting up GRE tunnels from
several geographically diverse scrubber locations isn't that hard to do.

I2 could offer this service for a heck of a lot less, which would ensure that
members are protected.

Using a supported COTS scrubbing box isn't like a total DIY homebrew.

Cons:

How to stripe scrubber boxes in parallel to handle many big flows takes some
engineering.

10G line-rate scrubber boxes are expensive, and > 10G probably doesn't exist.

It's not "drop out 3 boxes, set, and forget"; the service would take care and
feeding by knowledgeable people. These people would need to be hired,
trained, and retained by the service as a cost/profit center, or it could
become just another responsibility tossed around with variable results. Ie,
it would have to work and stay working.

Lawyers for both I2 and members would probably hate the idea of taking or
passing responsibility for redirecting and scrubbing institutions' traffic,
not something I2 or IU does now.

Dan





Archive powered by MHonArc 2.6.16.

Top of Page