Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi

1,324 views

Published on

Published in: Internet
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,324
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
49
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi

  1. 1. MyNOG, 21st August 2014 Mohd Izni Zuhdi Mohamed Rawi izni@tm.com.my
  2. 2. BGP Flow Specs Overview •  Dissemination of Flow Specification Rules •  Defined in RFC 5575, in year 2009 •  Leverages BGP as a method to distribute flow information and the actions to be taken •  As a tool for mitigating DDoS •  Can be used for traffic filtering in BGP/MPLS VPN environment as well
  3. 3. Problem Statement Legitimate traffic Illegitimate traffic
  4. 4. Prior to BGP Flow Spec, RTBH is used •  Remote Triggered Blackhole •  Changes the next-hop of the destination address to a discard interface, dropping traffic at network edges •  Only destination address and drop action can be specified •  Filtering is mixed with routing
  5. 5. Remote Triggered Blackhole Legitimate traffic Illegitimate traffic Dest: 1.1.1.1/32 Action: Drop Control info 1.1.1.1/24 2.2.2.2/24
  6. 6. BGP Flow Spec is more flexible (1/2) •  New set of NLRI is introduced Type 1: Match on Destination IP Prefix Type 2: Match on Source IP Prefix Type 3: Match on IP Protocol Type 4: Match on Source OR Destination TCP/UDP Port Type 5: Match on Destination TCP/UDP Port Type 6: Match on Source TCP/UDP Port Type 7: Match on Type fields in ICMP packet Type 8: Match on Code fields in ICMP packet Type 9: Match on various TCP Flags Type 10: Match on Packet Length, excluding L2 headers Type 11: Match on DSCP Value Type 12: Match on Fragment Encoding – DF, First Fragment, Last Fragment, Is a Fragment
  7. 7. BGP Flow Spec is more flexible (2/2) •  Multiple traffic filtering actions are possible •  Carried in extended community Ø  Traffic-rate – defined in bytes/sec, likely use is for policing certain application Ø  Traffic-action – sampling & logging, subsequent traffic filtering rules Ø  Redirect – redirects to a specified VRF based on Route Target Ø  Traffic-marking – modifies DSCP to the set values
  8. 8. Example 1: Provider advertises Flow Spes 1.1.1.1/24 2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
  9. 9. Example 2: Customer injects Flow Specs 1.1.1.1/24 2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
  10. 10. Validation Procedure •  Before an advertisement is accepted, it is validated based on these : Ø  The originator matches the best-match unicast route for the destination prefix in the flow specification Ø  There are no more-specific unicast route compared to the flow destination prefix that has been received from a different neighbouring AS than the best-match unicast route determined in above step
  11. 11. Work in progress •  Dissemination of Flow Specification Rules for IPv6 •  draft-ietf-idr-flow-spec-v6-05 (exp 21/09/14) •  BGP Flow-Spec Ext Community for Traffic Redirect to IP Next Hop •  draft-simpson-idr-flowspec-redirect-02 (exp 26/05/13)

×