Internet2 Network Security SIG

[Michael Hare <>]

The downside to GRE is that it is usually world reachable and therefore a target itself.  It’s hypothetically possible the I2 membership could use RFC1918 [or v6 equivalent] for clean return, but by using an unnumbered service such as MPLS or other Ethernet transport that coordination can be sidestepped.  Controversial for some, but it would also allow I2 to provide a higher level of QoS for clean/return LSPs.

 

With regard to the report, I am concerned that paragraph one on page four gives a false sense of optimism.  Diving into technical for a second, even if the traffic could be confidently filtered by source IP without collateral impact, I am highly suspicious that we can scale to 100k+ flowspec rules which might be required for a wide attack.  OVH has seen nearly 1Tbps with over 145k sources, see https://twitter.com/olesovhcom/status/778830571677978624

 

IMHO, destination based flowspec rules (with protocol, source port(s), fragment flags and possibly tcp flags) will keep the rule count more sane while not necessarily being the hammer that RTBH is.

 

-Michael

 

From: [mailto:] On Behalf Of Steven Wallace
Sent: Saturday, September 24, 2016 12:41 PM
To:
Subject: Re: [Security-WG] Proposed Internet2 DDoS Mitigation Strategy

 

There are benefits to using GRE, rather than a layer 2 solution. I would be to discus. 

Sent from my iPhone

On Sep 24, 2016, at 11:12 AM, Karl Newell <> wrote:

I have attached the proposed Internet2 DDoS Mitigation Strategy.  The intended audience is CIO/CTO level and will be circulated after we receive feedback from the community.  Please take a look and let us know if you have any comments or questions.  For those attending TechX there is a DDoS Mitigation BoF on Wednesday; we’ll review the document and have a general discussion around DDoS mitigation.

 

Cheers,

Karl

 

--

Karl Newell

Cyberinfrastructure Security Engineer

Internet2

520-344-0459

<DDoSMitigationStrategyVers2.docx>