Presentation is loading. Please wait.

Presentation is loading. Please wait.

BGP Flow specification Update

Published byBaldric Hardy Modified over 9 years ago

Similar presentations

Presentation on theme: "BGP Flow specification Update"— Presentation transcript:

1 BGP Flow specification Update
David Lambert

2 What is BGP Flow-Spec Authors: draft-marques-idr-flow-spec-XX.txt
Defines a method for the originator of a BGP NLRI to define and advertise a flow filter to its upstream BGP peers via BGP. Multi vendor support Co-authored with Cisco, Arbor, NTT/Verio Authors: Jared Mauch Danny McPherson Robert Raszuk Barry Greene Pedro Marques Nischal Sheth

3 Address family identifier / sub address family indicator
What is BGP Flow-Spec New Address family for BGP NLRI type (afi=1, safi=134 ) Defines a way to carry “flow” in BGP Sends a “component type” in a BGP update Defines operations to perform on flows Sends an “action” in a BGP Update Defines a Model for Validation Address family identifier / sub address family indicator

4 Component Types T1 Destination Address T2 Source Address
T3 IP Protocol T4 Port ( source or dest ) T5 Destination port T6 Source Port T7 ICMP type T8 ICMP code T9 TCP flags T10 Packet length T11 DSCP T12 Fragment Encoding

5 Actions Traffic-Rate Traffic-Action Redirect
Action ( set to “action or not “ ) Sample**** <<< fix this ( get explanation ) Redirect Send traffic to another VRF for collection

6 Flow Validation Need to validate by default to prevent spoofing Rules
a) The "originator" of a flow route matches the "originator" of the best match unicast route for the destination address that is embedded in the the route. b) There are no more-specific unicast routes, when compared to destination address of the flow route, for which the active route has been received from a different next-hop autonomous-system.

7 Disabling Flow Validation
No Validation is useful when you want central flow arbitration But its validation with conditions Route policy

8 Disabling Validation Validate against a policy family inet { flow {
no-validate <policy>; "Validation procedure is skipped for routes that match this policy"; }

9 What can we do with it Allows Customers to set their own firewalls on SP core. Validation rules will avoid spoofing of flow NLRI Provides a tool for the NOC to quickly react to DDOS attacks.

10 A quick word on detection
Easy on CPU based routers Chances are the CPE router can already work out the attack vector Some challenges on ASIC based platform. Can be done, but it costs Service Provider $$ Try to push the detection/inspection to the edge if you can. There is a stack of IDP box solutions out there It makes sense to give the downstream the tools required Empower the downstream to work it out for you Provide a back channel for DDOS traffic. Case of known attack ( worm announced ) Enabling floespec can save the SP Time and Money

11 Flow-routes are a small part of picture
Very small but convenient way to distribute flow Flow route Data out of router Flow ( Arbor ) Mirror ( IDP ) Firewall Config push vector Analysis Flow analysis IDP inspection Process False positive?

12 Configuration Options Define FLOW
then { accept; discard; next-term; rate-limit; sample; routing-instance; } [edit protocols bgp] group <name> { family inet flow; neighbor <a.b.c.d> { routing-options { flow { route <name> { match { destination; source ; protocol ; port ; destination-port ; source-port ; icmp-code ; icmp-type ; tcp-flags ; packet-length ; dscp ; fragment [ dont-fragment not-a-fragment is-fragment first-fragment last-fragment ] }

13 Configuration Example Routing Options
Define Flow routes routing-options { flow { route filter { match destination /24; then { community test; rate-limit 32k; }

14 Configuration example BGP
Add family flow to BGP peers Protocols { bgp { group int { type internal; local-address ; family inet { unicast; flow; } neighbor ;

15 Configuration example
Define Non-Validation show protocols bgp group int { type internal; local-address ; family inet { unicast; flow { no-validate test; } neighbor ;

16 Diagnostics show route receive-protocol bgp
Shows received NLRI show route advertising-protocol bgp Shows advertised NLRI show route flow show active flow routes show route table inetflow.0 Shows actual defined flow routes ( from routing options ) show firewall Shows installed flow filters and counters

17 Show Firewall lab@Darstardly-re0#
run show firewall Counters: Name Bytes Packets /24,* Policers: Name Packets /24,* [edit]

18 Who’s using it Secret information !

19 Common Arguments Spoofing
Validation will prevent this Remote initiated black holes education will help Why BGP Its there BGP instability What's stopped auto configuration efforts in the past? As boundaries NO tools that work

20 Future Enhancements Community based firewall for flow routes
A Community match to reference a generic firewall Set forwarding class Why not in the draft? Least common denominator

21 Alternatives What about RADB bogons list of common attack vectors
Its all pretty scary but flowspec is a little less scary

Download ppt "BGP Flow specification Update"

Similar presentations

Introduction to IP Routing Geoff Huston. Routing How do packets get from A to B in the Internet? A B Internet.

Introduction to IP Routing Geoff Huston. Routing How do packets get from A to B in the Internet? A B Internet.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing the MPLS VPN Routing Model.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
Route Optimisation RD-CSY3021.

Route Optimisation RD-CSY3021.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.
RIP V2 CCNP S1(5), Chapter 4.

RIP V2 CCNP S1(5), Chapter 4.
IPv6 Routing IPv6 Workshop Manchester September 2013

IPv6 Routing IPv6 Workshop Manchester September 2013
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
BGP. 2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net BGP Overview Is an inter-domain routing protocol that communicates prefix reachablility.

BGP. 2 Copyright © 2009 Juniper Networks, Inc. BGP Overview Is an inter-domain routing protocol that communicates prefix reachablility.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.

COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT — CONFIDENTIAL — SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW — PROPRIETARY.
CS 672 1 Summer 2003 Lecture 14. CS 672 2 Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.

CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.
1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.

1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Routing So how does the network layer do its business?

Routing So how does the network layer do its business?
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—4-1 Implement an IPv4-Based Redistribution Solution Assessing Network Routing Performance and.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—4-1 Implement an IPv4-Based Redistribution Solution Assessing Network Routing Performance and.

Similar presentations

Ads by Google