Skip to Content.
Sympa Menu

netsec-sig - RE: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...

Subject: Internet2 Network Security SIG

List archive

RE: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...


Chronological Thread 
  • From: "Schopis, Paul" <>
  • To: "Spurling, Shannon" <>, "D'Angelo, Cas (Samuel)" <>, Steven Wallace <>, "" <>
  • Cc: Rob Vietzke <>, George Loftus <>, John Moore <>, "Caroline Weilhamer" <>
  • Subject: RE: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...
  • Date: Tue, 20 Oct 2015 17:54:38 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 164.107.81.220) smtp.mailfrom=oar.net; internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=bestguesspass action=none header.from=oar.net;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23

I agree with a number of the comments on this thread. I think leveraging our I2 connections for scrubbing purposes is a good use of our investment and brings a lot of value. Questions to consider:

1.      To fully leverage the regional infrastructure in pursuit of the wellbeing of Higher Ed in general would I2 consider making an offering available to all members of region? Context: Our HE membership is larger than I2

2.      In regards to using AL2S as the mechanism, the offerings I have looked at already are set up to auto-intervene using IP GRE tunnels. The risk of using that as the mechanism and the risk of using AL2S as an alternative needs to carefully evaluated to make sure we understand the failure vectors of each solution so we can make well informed poor choices.

 

From: [mailto:] On Behalf Of Spurling, Shannon
Sent: Tuesday, October 20, 2015 12:06 PM
To: D'Angelo, Cas (Samuel); Steven Wallace;
Cc: Rob Vietzke; George Loftus; John Moore; Caroline Weilhamer
Subject: RE: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...

 

Is scrubbing something I2 wants to provide or contract for? I think the power to leverage the AL2S for temporary up-links into a scrubbing service that is a pay-as-you-go type offering could be powerful. There has been some trepidation on the part of certain members with making full use of the TR-CPS service, and then there is also the location limited membership of the TR-CPS peers. If the scrubbing service’s outside facing presence is sufficiently diverse and  present in the unwashed mass of the Internet, coming in through the backside with AL2S might be the big plus over layer3 tunneling. I think getting a large enough and diverse enough group of touch points into commodity Internet  to make the scrubbing work well would be hard for I2 without complete community participation. Maybe something Members would have to be willing to host a box that could draw dirty traffic in to be scrubbed and advertise those routes out to their Internet providers in some way. But that’s cazy… Right?

 

Personally, I’m not sold on scrubbing. Sometimes it’s best to scuttle the IP during the attack and adopt some edge based practices that let you have some flexibility at the edge. Some of the lamest (as far as target value or reason behind it) DDOS’s are enormous, and I don’t see any way to effectively scrub them out. Then there’s the camouflaged ones, where you would need something application or state aware to properly remove the bad traffic. That is very computationally expensive.

 

Shannon Spurling

 

 

From: [] On Behalf Of D'Angelo, Cas (Samuel)
Sent: Tuesday, October 20, 2015 7:37 AM
To: Steven Wallace;
Cc: Rob Vietzke; George Loftus; John Moore; Caroline Weilhamer
Subject: Re: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...

 

Steve,

 

I like your list of requirements.  Should we say something about the pricing model we'd prefer? 

  small recurring charge with burst fee for scrubbing

  higher recurring charge with no additional fees

  some other model

 

Does Internet2 (and TR-CPS) provide the routing based tools today?  Should we start a separate project asking I2 to implement:

  • RTBH with flow spec
  • UTRS

maybe more???

 

Thanks.

 

Cas

 


From: <> on behalf of Steven Wallace <>
Sent: Friday, October 16, 2015 9:59 AM
To:
Cc: Rob Vietzke; George Loftus; John Moore; Caroline Weilhamer
Subject: [Security-WG] fast track for DDoS recommendations to Internet2, and a bit more...

 

[cc’ing Caroline for NTAC engagement]

 

 

I received a couple of volunteers (i.e. 2)  to participate in developing a fast-tracked set of recommendations to Internet2 concerning possible DDoS service offerings. Since this is going to be very light weight, I’m soliciting the entire group to weigh in.

 

I confirmed with Rob Vietzke that our charge is:

 

“Internet2 requests that the Security WG recommend a set of DDoS mitigation capabilities to be delivered using, or in conjunction with, the Internet2 network. The intent is to inform Internet2’s expeditious engagement with mitigation providers to on-board services.”

 

The idea is that the group would provide a list of DDoS mitigation capabilities Internet2 might offer. To expedite I2’s delivery of these capabilities, I2 is not seeking specific vendor recommendations. It’s also my understanding that such services may or may not be delivered via Net+ (as someone said expeditiously and via Net+ have not been proven to co-exist ;-).

 

I’m going to take this charge a bit farther and also solicit additional Internet2 operational capabilities, such as RTBH with BGP Flowspec and participation in UTRS.

 

 

I’ll prime the pump with some desired capabilities:

 

  • scrubbing service (the ones that announce the campus’s IP space)
  • web, and web-based application caching
  • RTBH with flow spec
  • UTRS
  • DDoS detection

 

 

 

I think it also good to list any constraints that will help inform I2’s efforts.

 

Let’s use the list to contribute. Next Friday I’ll summarize and deliver to I2 are recommendations. This feels like real progress for this group.

 

thanks,

 

ssw

 

 




Archive powered by MHonArc 2.6.16.

Top of Page