MyNOG, 21st August 2014 Mohd Izni Zuhdi Mohamed Rawi

izni@tm.com.my

BGP Flow Specs Overview

•  Dissemination of Flow Specification Rules •  Defined in RFC 5575, in year 2009 •  Leverages BGP as a method to distribute flow

information and the actions to be taken

•  As a tool for mitigating DDoS

•  Can be used for traffic filtering in BGP/MPLS VPN environment as well

Problem Statement

Legitimate traffic

Illegitimate traffic

Prior to BGP Flow Spec, RTBH is used

•  Remote Triggered Blackhole •  Changes the next-hop of the destination

address to a discard interface, dropping traffic at network edges

•  Only destination address and drop action can

be specified •  Filtering is mixed with routing

Remote Triggered Blackhole

Legitimate traffic

Illegitimate traffic

Dest: 1.1.1.1/32 Action: Drop

Control info

1.1.1.1/24

2.2.2.2/24

BGP Flow Spec is more flexible (1/2)

•  New set of NLRI is introduced Type 1: Match on Destination IP Prefix Type 2: Match on Source IP Prefix Type 3: Match on IP Protocol Type 4: Match on Source OR Destination TCP/UDP Port Type 5: Match on Destination TCP/UDP Port Type 6: Match on Source TCP/UDP Port Type 7: Match on Type fields in ICMP packet Type 8: Match on Code fields in ICMP packet Type 9: Match on various TCP Flags Type 10: Match on Packet Length, excluding L2 headers Type 11: Match on DSCP Value Type 12: Match on Fragment Encoding – DF, First Fragment, Last Fragment, Is a Fragment

BGP Flow Spec is more flexible (2/2)

•  Multiple traffic filtering actions are possible

•  Carried in extended community

Ø  Traffic-rate – defined in bytes/sec, likely use is for policing certain application

Ø  Traffic-action – sampling & logging, subsequent traffic filtering rules

Ø  Redirect – redirects to a specified VRF based on Route Target

Ø  Traffic-marking – modifies DSCP to the set values

Example 1: Provider advertises Flow Spes

1.1.1.1/24

2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit

Example 2: Customer injects Flow Specs

1.1.1.1/24

2.2.2.2/24

Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit

Validation Procedure

•  Before an advertisement is accepted, it is validated based on these :

Ø  The originator matches the best-match unicast route for the destination prefix in the flow specification

Ø  There are no more-specific unicast route compared to the flow destination prefix that has been received from a different neighbouring AS than the best-match unicast route determined in above step

Work in progress

•  Dissemination of Flow Specification Rules for IPv6

•  draft-ietf-idr-flow-spec-v6-05 (exp 21/09/14)

•  BGP Flow-Spec Ext Community for Traffic Redirect to IP Next Hop

•  draft-simpson-idr-flowspec-redirect-02 (exp 26/05/13)