Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...


Chronological Thread 
  • From: "Dale W. Carder" <>
  • To: Steven Wallace <>
  • Cc: , Rob Vietzke <>, George Loftus <>, John Moore <>, Caroline Weilhamer <>
  • Subject: Re: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...
  • Date: Fri, 16 Oct 2015 13:35:43 -0500

$0.02 inline:

Thus spake Steven Wallace
()
on Fri, Oct 16, 2015 at 09:59:27AM -0400:
>
> I received a couple of volunteers (i.e. 2) to participate in developing a
> fast-tracked set of recommendations to Internet2 concerning possible DDoS
> service offerings. Since this is going to be very light weight, I’m
> soliciting the entire group to weigh in.
>
> I confirmed with Rob Vietzke that our charge is:
>
> “Internet2 requests that the Security WG recommend a set of DDoS mitigation
> capabilities to be delivered using, or in conjunction with, the Internet2
> network. The intent is to inform Internet2’s expeditious engagement with
> mitigation providers to on-board services.”
>
> The idea is that the group would provide a list of DDoS mitigation
> capabilities Internet2 might offer. To expedite I2’s delivery of these
> capabilities, I2 is not seeking specific vendor recommendations. It’s also
> my understanding that such services may or may not be delivered via Net+
> (as someone said expeditiously and via Net+ have not been proven to
> co-exist ;-).

(snip)
> I think it also good to list any constraints that will help inform I2’s
> efforts.
(snip)

> scrubbing service (the ones that announce the campus’s IP space)

Probably most realistic to do via Net+ unless I2 has acquired gobs of
commodity peering, oodles of servers, etc.

> web, and web-based application caching

see above. Some vendors can also "scrub" some application traffic (with
caveats).

> RTBH with flow spec

This could be separated out:
a) RTBH traditional bgp community based triggering
b) flowspec triggered filtering.

> UTRS

Not just I2, but I think that we all might want to take a hard look at
this. There are complications for connectors with downstream AS's as
they will not be permitted to originate prefixes not in their ASN to
UTRS. However, anyone could subscribe and minimally implement the
blackhole feed.

> DDoS detection

Likely an end-site concern and/or a Net+ service to do flow analysis if
the site does not have that capability. One would want to look at the
non-R&E traffic profile as well. This takes some amount of care & feeding.

Dale

Archive powered by MHonArc 2.6.16.

Top of Page