Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi

1,548 views

Published on

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi

  1. 1. MyNOG, 21st August 2014 Mohd Izni Zuhdi Mohamed Rawi izni@tm.com.my
  2. 2. BGP Flow Specs Overview •  Dissemination of Flow Specification Rules •  Defined in RFC 5575, in year 2009 •  Leverages BGP as a method to distribute flow information and the actions to be taken •  As a tool for mitigating DDoS •  Can be used for traffic filtering in BGP/MPLS VPN environment as well
  3. 3. Problem Statement Legitimate traffic Illegitimate traffic
  4. 4. Prior to BGP Flow Spec, RTBH is used •  Remote Triggered Blackhole •  Changes the next-hop of the destination address to a discard interface, dropping traffic at network edges •  Only destination address and drop action can be specified •  Filtering is mixed with routing
  5. 5. Remote Triggered Blackhole Legitimate traffic Illegitimate traffic Dest: 1.1.1.1/32 Action: Drop Control info 1.1.1.1/24 2.2.2.2/24
  6. 6. BGP Flow Spec is more flexible (1/2) •  New set of NLRI is introduced Type 1: Match on Destination IP Prefix Type 2: Match on Source IP Prefix Type 3: Match on IP Protocol Type 4: Match on Source OR Destination TCP/UDP Port Type 5: Match on Destination TCP/UDP Port Type 6: Match on Source TCP/UDP Port Type 7: Match on Type fields in ICMP packet Type 8: Match on Code fields in ICMP packet Type 9: Match on various TCP Flags Type 10: Match on Packet Length, excluding L2 headers Type 11: Match on DSCP Value Type 12: Match on Fragment Encoding – DF, First Fragment, Last Fragment, Is a Fragment
  7. 7. BGP Flow Spec is more flexible (2/2) •  Multiple traffic filtering actions are possible •  Carried in extended community Ø  Traffic-rate – defined in bytes/sec, likely use is for policing certain application Ø  Traffic-action – sampling & logging, subsequent traffic filtering rules Ø  Redirect – redirects to a specified VRF based on Route Target Ø  Traffic-marking – modifies DSCP to the set values
  8. 8. Example 1: Provider advertises Flow Spes 1.1.1.1/24 2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
  9. 9. Example 2: Customer injects Flow Specs 1.1.1.1/24 2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
  10. 10. Validation Procedure •  Before an advertisement is accepted, it is validated based on these : Ø  The originator matches the best-match unicast route for the destination prefix in the flow specification Ø  There are no more-specific unicast route compared to the flow destination prefix that has been received from a different neighbouring AS than the best-match unicast route determined in above step
  11. 11. Work in progress •  Dissemination of Flow Specification Rules for IPv6 •  draft-ietf-idr-flow-spec-v6-05 (exp 21/09/14) •  BGP Flow-Spec Ext Community for Traffic Redirect to IP Next Hop •  draft-simpson-idr-flowspec-redirect-02 (exp 26/05/13)

×