thanks for the input Mike
On Thu, Jul 7, 2022 at 10:20 AM Jeff Haas <jh...@juniper.net> wrote: > In circumstances where the routing table can help you mitigate an attack, > including things that use uRPF, it'll usually scale significantly better > that flowspec. This is primarily because flowspec is just a distributed > way of programming the firewall, and firewalls on transit routers have many > dimensions where they don't scale nicely. > > That said, the firewall on many of our platforms for "block these sources" > should scale nicely ... but doesn't in flowspec if you have rules that > interleave. The interleaving rules interfere with firewall optimization. > > The issue above motivates the flowspec v2 work happening in IETF, > particularly the user-ordered rules. > > -- Jeff > > > On 7/7/22, 10:02 AM, "juniper-nsp on behalf of Gert Doering via > juniper-nsp" <juniper-nsp-boun...@puck.nether.net on behalf of > juniper-nsp@puck.nether.net> wrote: > > [External Email. Be cautious of content] > > > Hi, > > On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp > wrote: > > Since Flowspec arrived, are there any uses for SRTBH? > > Scaling? > > My understanding of flowspec is that it is typically implemented by > programming ACL TCAM, while SRTBH is routing table lookup, so > "some 10.000 lines" vs. "2-4 million". > > OTOH, SRTBH is all-or-nothing, not "only port 80"... > > gert > -- > "If was one thing all people took for granted, was conviction that if > you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > > > Juniper Business Use Only > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp