BGP Flow specification Update - PowerPoint PPT Presentation

1 / 21

About This Presentation

Title:

BGP Flow specification Update

Description:

Flow-routes are a small part of picture. Data out of router. Flow ( Arbor ) Mirror ( IDP ) ... Its all pretty scary but flowspec is a little less scary ... – PowerPoint PPT presentation

Number of Views:157

Avg rating:3.0/5.0

Slides: 22

Provided by: davidl53

Category:

more less

Transcript and Presenter's Notes

Title: BGP Flow specification Update

1
BGP Flow specification Update

David Lambert
djl_at_juniper.net

2
What is BGP Flow-Spec

draft-marques-idr-flow-spec-XX.txt
Defines a method for the originator of a BGP NLRI
to define and advertise a flow filter to its
upstream BGP peers via BGP.
Multi vendor support
Co-authored with Cisco, Arbor, NTT/Verio
Authors
Jared Mauch
Danny McPherson
Robert Raszuk
Barry Greene
Pedro Marques
Nischal Sheth

3
What is BGP Flow-Spec

New Address family for BGP
NLRI type (afi1, safi134 )
Defines a way to carry flow in BGP
Sends a component type in a BGP update
Defines operations to perform on flows
Sends an action in a BGP Update
Defines a Model for Validation

Address family identifier / sub address family
indicator
4
Component Types

T1 Destination Address
T2 Source Address
T3 IP Protocol
T4 Port ( source or dest )
T5 Destination port
T6 Source Port
T7 ICMP type
T8 ICMP code
T9 TCP flags
T10 Packet length
T11 DSCP
T12 Fragment Encoding

5
Actions

Traffic-Rate
Traffic-Action
Action ( set to action or not )
Sample ltltlt fix this ( get explanation )
Redirect
Send traffic to another VRF for collection

6
Flow Validation

Need to validate by default to prevent spoofing
Rules
a) The "originator" of a flow route matches the
"originator" of the
best match unicast route for the destination
address that is embedded in the the route.
b) There are no more-specific unicast routes,
when compared to
destination address of the flow route, for which
the active route has
been received from a different next-hop
autonomous-system.

7
Disabling Flow Validation

No Validation is useful when you want central
flow arbitration
But its validation with conditions
Route policy

8
Disabling Validation

Validate against a policy
family inet
flow
no-validate ltpolicygt "Validation procedure is
skipped for
routes that match this policy"

9
What can we do with it

Allows Customers to set their own firewalls on SP
core.
Validation rules will avoid spoofing of flow NLRI
Provides a tool for the NOC to quickly react to
DDOS attacks.

10
A quick word on detection

Easy on CPU based routers
Chances are the CPE router can already work out
the attack vector
Some challenges on ASIC based platform.
Can be done, but it costs Service Provider
Try to push the detection/inspection to the edge
if you can.
There is a stack of IDP box solutions out there
It makes sense to give the downstream the tools
required
Empower the downstream to work it out for you
Provide a back channel for DDOS traffic.
Case of known attack ( worm announced )
Enabling floespec can save the SP Time and Money

11
Flow-routes are a small part of picture
Very small but convenient way to distribute flow
Flow route
Data out of router Flow ( Arbor ) Mirror ( IDP )
Firewall Config push
vector
Analysis Flow analysis IDP inspection
Process False positive?
12
Configuration Options Define FLOW
then accept discard next-term
rate-limit sample routing-instance
edit protocols bgp group ltnamegt
family inet flow neighbor lta.b.c.dgt
family inet flow