Internet2 Network Security SIG

[Steven Wallace <>]

Another good/bad to consider is that Internet2 would need to purchase a large 
boatload of IP transit. 

A potential opportunity to gain a pricing advantage for the community.

ssw

> On Sep 17, 2015, at 5:12 PM, Magorian, Daniel F. 
> <>
>  wrote:
> 
> Apologies if I missed discussion of this option before in this WG.
> 
> At the end of the Incapsula call today, Steve mentioned several forms for 
> the service offering, particularly NET+.   That's fine, but there's also 
> another option, namely:
> 
> Internet2 procures Arbor, A10, or other on-prem COTS scrubber boxes, and 
> offers bgp-redirection off-prem scrubbing as a service to members 
> themselves.  
> 
> Before discarding this approach immediately, consider the pros and cons:
> 
> Pros:
> 
> bgp-redirection off-prem scrubbing services by companies like Arbor are 
> done with their own boxes, so what they're really doing is selling you one 
> and leasing you time on others, and 
> 
> DDoS mitigation is expensive, typically ~$100-200k/yr or more for a typical 
> enterprise.  Many I2 members aren't budgeted for this, or can't get the 
> project approved because they haven't been the victims of a big attack 
> before.  So when one happens, all they can do is black hole the targets' 
> /32 routes to dump the traffic so the rest of their network's back on the 
> air.  Then they find the big budget for bgp-redirection off-prem service 
> the next year.
> 
> Doing bgp redirection of members traffic to and setting up GRE tunnels from 
> several geographically diverse scrubber locations isn't that hard to do.
> 
> I2 could offer this service for a heck of a lot less, which would ensure 
> that members are protected.
> 
> Using a supported COTS scrubbing box isn't like a total DIY homebrew.
> 
> Cons:
> 
> How to stripe scrubber boxes in parallel to handle many big flows takes 
> some engineering.
> 
> 10G line-rate scrubber boxes are expensive, and > 10G probably doesn't 
> exist.
> 
> It's not "drop out 3 boxes, set, and forget"; the service would take care 
> and feeding by knowledgeable people.  These people would need to be hired, 
> trained, and retained by the service as a cost/profit center, or it could 
> become just another responsibility tossed around with variable results. Ie, 
> it would have to work and stay working.
> 
> Lawyers for both I2 and members would probably hate the idea of taking or 
> passing responsibility for redirecting and scrubbing institutions' traffic, 
> not something I2 or IU does now.
> 
> Dan
>