netsec-sig - Re: [Security-WG] Another service option
Subject: Internet2 Network Security SIG
List archive
- From: Steven Wallace <>
- To: "Magorian, Daniel F." <>
- Cc: "" <>
- Subject: Re: [Security-WG] Another service option
- Date: Thu, 17 Sep 2015 18:31:51 -0400
Another good/bad to consider is that Internet2 would need to purchase a large
boatload of IP transit.
A potential opportunity to gain a pricing advantage for the community.
ssw
> On Sep 17, 2015, at 5:12 PM, Magorian, Daniel F.
> <>
> wrote:
>
> Apologies if I missed discussion of this option before in this WG.
>
> At the end of the Incapsula call today, Steve mentioned several forms for
> the service offering, particularly NET+. That's fine, but there's also
> another option, namely:
>
> Internet2 procures Arbor, A10, or other on-prem COTS scrubber boxes, and
> offers bgp-redirection off-prem scrubbing as a service to members
> themselves.
>
> Before discarding this approach immediately, consider the pros and cons:
>
> Pros:
>
> bgp-redirection off-prem scrubbing services by companies like Arbor are
> done with their own boxes, so what they're really doing is selling you one
> and leasing you time on others, and
>
> DDoS mitigation is expensive, typically ~$100-200k/yr or more for a typical
> enterprise. Many I2 members aren't budgeted for this, or can't get the
> project approved because they haven't been the victims of a big attack
> before. So when one happens, all they can do is black hole the targets'
> /32 routes to dump the traffic so the rest of their network's back on the
> air. Then they find the big budget for bgp-redirection off-prem service
> the next year.
>
> Doing bgp redirection of members traffic to and setting up GRE tunnels from
> several geographically diverse scrubber locations isn't that hard to do.
>
> I2 could offer this service for a heck of a lot less, which would ensure
> that members are protected.
>
> Using a supported COTS scrubbing box isn't like a total DIY homebrew.
>
> Cons:
>
> How to stripe scrubber boxes in parallel to handle many big flows takes
> some engineering.
>
> 10G line-rate scrubber boxes are expensive, and > 10G probably doesn't
> exist.
>
> It's not "drop out 3 boxes, set, and forget"; the service would take care
> and feeding by knowledgeable people. These people would need to be hired,
> trained, and retained by the service as a cost/profit center, or it could
> become just another responsibility tossed around with variable results. Ie,
> it would have to work and stay working.
>
> Lawyers for both I2 and members would probably hate the idea of taking or
> passing responsibility for redirecting and scrubbing institutions' traffic,
> not something I2 or IU does now.
>
> Dan
>
- [Security-WG] Another service option, Magorian, Daniel F., 09/17/2015
- Re: [Security-WG] Another service option, Steven Wallace, 09/17/2015
Archive powered by MHonArc 2.6.16.