managing traffic flows via bgp flowspec by mohd izni zuhdi mohamed rawi
DESCRIPTION
TRANSCRIPT
MyNOG, 21st August 2014 Mohd Izni Zuhdi Mohamed Rawi
BGP Flow Specs Overview
• Dissemination of Flow Specification Rules • Defined in RFC 5575, in year 2009 • Leverages BGP as a method to distribute flow
information and the actions to be taken
• As a tool for mitigating DDoS
• Can be used for traffic filtering in BGP/MPLS VPN environment as well
Problem Statement
Legitimate traffic
Illegitimate traffic
Prior to BGP Flow Spec, RTBH is used
• Remote Triggered Blackhole • Changes the next-hop of the destination
address to a discard interface, dropping traffic at network edges
• Only destination address and drop action can
be specified • Filtering is mixed with routing
Remote Triggered Blackhole
Legitimate traffic
Illegitimate traffic
Dest: 1.1.1.1/32 Action: Drop
Control info
1.1.1.1/24
2.2.2.2/24
BGP Flow Spec is more flexible (1/2)
• New set of NLRI is introduced Type 1: Match on Destination IP Prefix Type 2: Match on Source IP Prefix Type 3: Match on IP Protocol Type 4: Match on Source OR Destination TCP/UDP Port Type 5: Match on Destination TCP/UDP Port Type 6: Match on Source TCP/UDP Port Type 7: Match on Type fields in ICMP packet Type 8: Match on Code fields in ICMP packet Type 9: Match on various TCP Flags Type 10: Match on Packet Length, excluding L2 headers Type 11: Match on DSCP Value Type 12: Match on Fragment Encoding – DF, First Fragment, Last Fragment, Is a Fragment
BGP Flow Spec is more flexible (2/2)
• Multiple traffic filtering actions are possible
• Carried in extended community
Ø Traffic-rate – defined in bytes/sec, likely use is for policing certain application
Ø Traffic-action – sampling & logging, subsequent traffic filtering rules
Ø Redirect – redirects to a specified VRF based on Route Target
Ø Traffic-marking – modifies DSCP to the set values
Example 1: Provider advertises Flow Spes
1.1.1.1/24
2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
Example 2: Customer injects Flow Specs
1.1.1.1/24
2.2.2.2/24
Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
Validation Procedure
• Before an advertisement is accepted, it is validated based on these :
Ø The originator matches the best-match unicast route for the destination prefix in the flow specification
Ø There are no more-specific unicast route compared to the flow destination prefix that has been received from a different neighbouring AS than the best-match unicast route determined in above step
Work in progress
• Dissemination of Flow Specification Rules for IPv6
• draft-ietf-idr-flow-spec-v6-05 (exp 21/09/14)
• BGP Flow-Spec Ext Community for Traffic Redirect to IP Next Hop
• draft-simpson-idr-flowspec-redirect-02 (exp 26/05/13)