nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: I don't need no stinking firewall!

From: "George Bonser" <gbonser () seven com>
Date: Tue, 5 Jan 2010 21:03:51 -0800



-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins () arbor net]
Sent: Tuesday, January 05, 2010 8:53 PM
To: NANOG list
Subject: Re: I don't need no stinking firewall!


On Jan 6, 2010, at 11:43 AM, George Bonser wrote:


 Yes, you have to take some of the things that were done in one spot

and do

them in different locations now, but the results are an amazing

increase

in service capacity per dollar spent on infrastructure.


I strongly agree with the majority of your comments, with the caveat
that I've seen many, many load-balancers fall over due to state-
exhaustion, too; load-balancers need northbound protection from DDoS
(S/RTBH, flow-spec, IDMS, et. al.), as well.



Yes, I have seen load balancers fall over, too.  I have some interesting
stories of how those problems have been solved. Sometimes it relies on
using a feature of one vendor to leverage a feature of another vendor.
But I generally agree with you.  There is a lot that can be done ahead
of the load balancers.
Previous By Date Next
Previous By Thread Next

Current thread: