Tunneling was invented to connect networks separated by other independent networks. One classic example is the VPN use case where remote access users connect to a variety of network resources (corporate home gateways or an internet service provider) through public data networks. Tunneling is simply encapsulating a packet in another packet. In this, the devices at the network entry and exit points play a pivotal role of doing the encapsulation and de-capsulation respectively, and hence are responsible for building/maintaining the necessary state that facilitates this tunneling, while the rest of the devices in the network seamlessly transport based on the outer headers.
The security enforcent delegation to the service provider is one of interesting option expetially in case of volumetric DDoS attacks. The traffic re-direction to cleaning devices (cluster) and then re-insertion into network need to be done in a way that prevents routing loops. Commonly used techniques base on either (A) Filter/ACL based forwarding /policy-routing (B) L3VPN instances on ASBRs and/or Edge routers or (C) IP/GRE tunnels between cleaning devices and CPE.
This blog present the alternative method. The proposed architecture do not requires L3VPN nor VRF/VR instances on ASBR and Edge routers, Filter/ACL nor any customer specific configuration on ASBR, peering nor Edge router. It leverage dynamic control plane of IP/MPLS networks to track CPE availability and direct traffic from cleaning cluster to best CPE (multi-homing), honors customer routing attributes (e.g. MED or communities). There is no requirements on CPE other that basic IP forwarding, however if CPE use basic eBGP for communication w/ SP Edge, full potential of solution could be achived.