AltraMayor
Use gatekeeper without bgp
Is it possible to use Gatekeeper without BGP? This would be very interesting for users with servers in a datacenter with IPs/Subnets provided by the DC, as some datacenters do not provide the best ddos mitigation/protection.
My Idea would be using a server with e.g. a 10G internet connection to filter incoming traffic and then forward it to an internal 1G network.
Hi @HorlbogeDE,
It is possible. But given that we are not working to deploy in this scenario, one is going to find some issues in this minimal scenario. Reviewing the open issues, I identified the following two issues: #267 and #91. This list is not exhaustive, it's just what I found skimming the open issues. I've created the milestone "Minimal deployments" to group these issues.
Notice that in this scenario you want to deploy, Gatekeeper does not have a lever to deal with attacks that can overwhelm the incoming link. Gatekeeper is going to honor the policy as close as possible while the incoming link is overwhelmed, but, when the link is overwhelmed, good packets that Gatekeeper would let pass may be dropped before Gatekeeper can receive them. Gatekeeper is designed to work in a distributed fashion, so one can have as many vantage points as needed to stand very large attacks.
Being able to run Gatekeeper locally could be a deployment incentive -- one could craft policies and see some effects of the system without needing to worry about changing their BGP routes, registering with an IXP, etc. We think of being able to deploy in an IXP (or other vantage point) as fairly low cost compared to the alternatives, but there still are costs.
