OpenContrail tech doc in Japanese
1.Routing architecture and implementation
2.Service chaining architecture and implementation
3.Neutron router with OpenContrail
4.HA walk
The document discusses using the OpenDaylight BGP speaker to handle different types of routes including:
1. Link-state routes from IS-IS or OSPF that are advertised via BGP-LS and used to create a link-state topology.
2. IPv4 and IPv6 routes that are learned and advertised across domains.
3. Flowspec routes that function similar to OpenFlow rules but can leverage the BGP route reflector infrastructure with actions encoded as BGP communities.
The document outlines how to configure the BGP speaker through RESTCONF to handle these different routes and advertise them, and provides demos of using it for BGP-LS/PCEP, advertising IPv4
OpenContrail tech doc in Japanese
1.Routing architecture and implementation
2.Service chaining architecture and implementation
3.Neutron router with OpenContrail
4.HA walk
The document discusses using the OpenDaylight BGP speaker to handle different types of routes including:
1. Link-state routes from IS-IS or OSPF that are advertised via BGP-LS and used to create a link-state topology.
2. IPv4 and IPv6 routes that are learned and advertised across domains.
3. Flowspec routes that function similar to OpenFlow rules but can leverage the BGP route reflector infrastructure with actions encoded as BGP communities.
The document outlines how to configure the BGP speaker through RESTCONF to handle these different routes and advertise them, and provides demos of using it for BGP-LS/PCEP, advertising IPv4
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiMyNOG
BGP Flow Specs allow more flexible traffic filtering than previous methods like RTBH by allowing matching of traffic based on multiple fields like source/destination IP and port, protocol, etc. and specifying multiple actions like rate-limiting, redirecting, or marking traffic. Flow specs are distributed using BGP and validated by checking the origin AS matches the best route for the destination prefix. Work is ongoing to support Flow Specs for IPv6 and traffic redirect using an IP next hop.
BMP (BGP Monitoring Protocol) allows routers to send BGP peer route updates and statistics to external monitoring stations. It provides access to the pre-policy routing table (Adj-RIB-In) of peers on an ongoing basis. Cisco supports BMP in IOS-XE and IOS-XR routers. OpenBMP is an open-source BMP collector that stores updates in a MySQL database for analysis.
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...Shuichi Ohkubo
The document summarizes an interoperability test of BGP Flowspec functionality across Cisco, Huawei, and Juniper routers at Interop Tokyo 2015. The test confirmed basic BGP Flowspec action rules like drop, rate-limiting, and VRF redirection worked across all vendors. Some differences in NLRI formats and match bits were found for TCP flag and fragment match types. The document also provides an example use case of filtering SSH brute-force attacks and discusses additional configuration needed for Juniper routers.
This document discusses using BGP Flowspec for DDoS mitigation. It provides an overview of legacy DDoS mitigation methods, describes how BGP Flowspec works by distributing flow specifications using BGP, and gives examples of how it can be used for inter-domain and intra-domain DDoS mitigation as well as with a scrubbing center. It also discusses vendor support, advantages over previous methods, potential issues, real world deployments, and the current state and future of BGP Flowspec.
Protect your edge BGP security made simplePavel Odintsov
SysEleven filters routes to protect its edge by rejecting bogon prefixes and invalid routes. It generates prefix filters automatically based on peer AS sets to apply strict inbound filtering. It also uses RPKI to validate routes and reject invalid announcements. For DDoS mitigation, it uses FastNetMon for detection and FlowSpec to propagate rate limiting filters via BGP to upstream providers for quick attack mitigation in under 2 minutes. Open source tools like bgpq3, aggregate, and GoBGP help implement these solutions in a cost effective manner.
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
BGP Flowspec is a technique for distributing flow specification rules via BGP. It allows an ISP to dynamically distribute filtering and redirection rules to mitigate DDoS attacks. The document discusses several real-world use cases where BGP Flowspec was deployed to successfully block large DDoS attacks in a targeted manner without affecting legitimate traffic. However, interoperability between vendors and scalability challenges remain open issues requiring further work and testing.
This document discusses BGP flow specification phase 2 which focuses on BGP persistence. It describes the problem that current BGP flowspec policies are withdrawn if the route reflector or controller fails, leaving the network vulnerable. BGP persistence aims to keep filters and policies active for a configurable time like hours or days until the route reflector or controller returns. The configuration allows setting a stale time on a per address family basis to control how long policies persist after a failure.
BGP started in 1989 to connect autonomous systems in a stable, efficient manner. This document outlines advancements in BGP infrastructure, VPN enhancements, and high availability features. Infrastructure enhancements improve areas like keepalive processing and update generation. VPN enhancements support technologies like iBGP between PE and CE routers, multicast VPNs, and EVPN. High availability features include graceful shutdown, fast convergence using PIC, and non-stop routing.
- Service chaining provides a common way to deliver multiple services in a specific order, decoupling network topology from services and enabling dynamic service insertion.
- It has both a data plane, using a common service header (NSH) to build service chains, and a control plane for policy and mapping overlay addresses to the physical network.
- Work has included implementing NSH encapsulation/decap in OVS and adding WireShark support, with ongoing work on LISP integration and control plane functionality.
BGP Flow Specification allows network operators to define and distribute traffic filtering rules via BGP. This helps operators quickly mitigate DDoS attacks by filtering traffic at an upstream level rather than just blackholing entire prefixes. It separates filtering information from routing data using new BGP address families. Validating flow specifications against the best unicast route helps prevent spoofing. Common filtering actions include traffic policing, sampling, and redirection. While some ISPs have begun implementations, widespread adoption is still needed to realize the benefits of centralized DDoS defense using BGP Flow Specification.
This diagram depicts the connectivity between various cloud providers and networks. It shows the physical connections between cloud platforms like AWS, Azure, Google Cloud, and others. It also illustrates the internet exchanges and network providers that interconnect these cloud networks globally.
ShowNet2021 展示会場内説明スライド(parapara)
DC
オンプレ/クラウド連携と柔軟なストレージで実現する高信頼サービス
・ShowNetを支えるハイブリッドクラウド構成の仮想化基盤
・NVMe over Fabrics を活用した高速コンテナストレージの実現
・オンプレ/マルチクラウドにまたがったKubernetesマルチクラスタによる柔軟なサービス管理