SlideShare una empresa de Scribd logo

BGP Flow Spec for Traffic Filtering

ShortestPathFirst
ShortestPathFirst

An overview of BGP Flow Specification Rules and its applicability for Traffic Filtering Applications

1 de 10
Descargar para leer sin conexión
BGP Flow Spec Using BGP to Disseminate Flow Specification Rules for Traffic Filtering Applications Stefan Fouant ShortestPathFirst Consulting Services www.shortestpathfirst.com
BGP Flow Specification Overview • Recently standardized in RFC 5575, entitled “Dissemination of Flow Specification Rules” » http://tools.ietf.org/html/rfc5575 • Defines a method for the originator of a BGP NLRI to define and advertise a flow filter to its upstream BGP peers via BGP • Multi vendor support » Supported code on Juniper, Arbor, and others • Authors: » Danny McPherson (Arbor) » Pedro Marques (Juniper) » Nischal Sheth (Juniper) » Robert Raszuk (Juniper) » Barry Greene (Juniper) » Jared Mauch (NTT/Verio) ShortestPathFirst Consulting Services www.shortestpathfirst.net
What is Flow Specification • Flow Specification defines a method and apparatus whereby traffic flow specifications can be distributed using a new BGP NLRI encoding format • Primary and immediate motivation is to provide intra and inter provider distribution of traffic filtering rules to filter DoS and DDoS attacks • Requires a new address family for BGP » NLRI type (AFI=1, SAFI=133) for Unicast traffic filtering applications » NLRI type (AFI=1, SAFI=134) for BGP/MPLS VPN environments » This also means that routers MUST use BGP’s Capability Advertisement facility in order to exchange the Multiprotocol Extension Capability Code as defined in RFC4760 “Multiprotocol Extensions for BGP-4” • A flow specification is a set of data (represented in an n-tuple) consisting of several matching criteria that can be applied to IP packet data • A flow specification received from an peer will need to be validated against the unicast routing before being accepted ShortestPathFirst Consulting Services www.shortestpathfirst.net
Flow Specification Motivations • Question: What is the primary tool used today in Service Provider networks to deal with DoS and DDoS attacks? • Question: Are there any drawbacks to this approach? ShortestPathFirst Consulting Services www.shortestpathfirst.net
Flow Specification Motivations • The most commonly used Service Provider security tool used today in order to deal with DDoS attack is to use BGP to redirect traffic to a discard interface (otherwise known as Remote Triggered Black Hole (RTBF)) • As such, using BGP to trigger security policy has been the de facto standard for some time » The drawback to this approach is that only destination prefixes may be specified » Furthermore, filtering information is intermingled with routing information • Flow spec addresses these limitations by allowing for specific NLRI to be defined which may convey additional information about traffic filtering rules for traffic that should be discarded • Since a new address family is defined, filtering information is now separated from the routing information (and in fact this information is kept in a separate RIB) • Provides a tool for Network Operators to quickly react to DDOS attacks, saving valuable time between identification of attack and implementation of various remediation schemes ShortestPathFirst Consulting Services www.shortestpathfirst.net
Flow Specification NLRI • A Flow Specification NLRI is defined which may include several components in order to identify particular flows • The NLRI field of the MP_REACH_NLRI and MP_UNREACH_NLRI is encoded as a 1 or 2 octet NLRI length field followed by a variable length NLRI value. The NLRI length is expressed in octets +------------------------------+ | length (0xnn or 0xfn nn) | +------------------------------+ | NLRI value (variable) | +------------------------------+ • Type 1 - Destination Prefix • Type 7 - ICMP Type » Match on Destination IP Prefix » Match on type fields of an ICMP packet • Type 2 - Source Prefix • Type 8 – ICMP Code » Match on Source IP Prefix » Match on code fields of an ICMP packet • Type 3 - IP Protocol • Type 9 - TCP flags » Match on IP protocol value in IP packets » Match on various TCP flags • Type 4 – Port • Type 10 - Packet length » Match on source OR destination TCP/UDP ports » Match on IP Packet length, excluding the L2 • Type 5 – Destination Port headers » Match on destination TCP/UDP ports • Type 11 - DSCP • Type 6 - Source Port » Match IP TOS octet » Match on source TCP/UDP ports • Type 12 - Fragment Encoding » Match DF bit, First Fragment, Last Fragment, etc. ShortestPathFirst Consulting Services www.shortestpathfirst.net
Validation Procedure • Need to validate the NLRI received in order to prevent spoofing and to eliminate any concern that the mechanism represents a Denial of Service in and of itself • A flow specification NLRI must be validated such that it is considered feasible if and only if: » a) The "originator" of the flow specification matches the "originator" of the best match unicast route for the destination prefix embedded in the flow specification » b) There are no more-specific unicast routes, when compared with the flow destination prefix, that have been received from a different neighboring AS than the best-match unicast route, which has been determined in step a) • The underlying concept is that the neighboring AS that advertise the best unicast route for a destination is allowed to advertise flow-spec information that conveys a more or equally specific destination prefix • As long as traffic filtering rules are restricted to match the corresponding unicast routing paths for the relevant prefixes, the security characteristics of this proposal are equivalent to the existing security properties of BGP unicast routing ShortestPathFirst Consulting Services www.shortestpathfirst.net
Traffic Filtering Actions • Several BGP extended community values have been standardized to define the minimum set of filtering actions required in a typical flow- spec application: » Traffic-Rate extended community – most likely used for policing applications, units expressed in bytes per second » Traffic-Action extended community − Terminal action (bit 0) – indicate that subsequent filtering rules be applied, or not − Sampling (bit 1) – enable traffic sampling and logging for this flow » Redirect extended community – allows for the traffic to be redirected to a VRF routing instance for further processing • Although these extended communities have been defined, it is expected that each unique implementation will utilize arbitrary community values for various filtering actions, as heterogeneous networks and disparate vendors make it difficult to standardize on such behavior ShortestPathFirst Consulting Services www.shortestpathfirst.net
Open Forum Discussion • Future and evolution of BGP Flow Spec • Applicability to the the current network infrastructure » Use internally to control internal routers » Use externally to control upstream ISP routers • Which ISPs are currently supporting BGP Flow Spec or are currently beginning technology rollouts? • Gaining widespread acceptance within the community and engaging ISPs to begin implementation • Other areas of concern » TIDP vs. BGP Flow Spec − Flow Spec for Inter-AS and TIDP for Intra-AS? » IPFIX, Netflow v9, Flexible Netflow − How will these developments change the state of the art in networks? ShortestPathFirst Consulting Services www.shortestpathfirst.net
Questions? ShortestPathFirst Consulting Services www.shortestpathfirst.net

Recomendados

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
VietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedVietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedPavel Odintsov
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Bruno Teixeira
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionRasoul Mesghali, CCIE RS
 

Recomendados

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
VietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedVietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedPavel Odintsov
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Bruno Teixeira
 
MENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionMENOG-Segment Routing Introduction
MENOG-Segment Routing IntroductionRasoul Mesghali, CCIE RS
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
Spanning Tree Protocol
Spanning Tree ProtocolSpanning Tree Protocol
Spanning Tree ProtocolManoj Gharate
 
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtJuniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtNam Nguyen
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliFebrian ‎
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Transition ipv4-ipv6
Transition ipv4-ipv6Transition ipv4-ipv6
Transition ipv4-ipv6Arrow Djibio
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Cisco Canada
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Netgate
 
9534715
95347159534715
9534715Pavel Odintsov
 
Openstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNsOpenstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNsThomas Morin
 
4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)medalaa
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Febrian ‎
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
Mpls
MplsMpls
MplsFasih Rehman
 
Mpls Services
Mpls ServicesMpls Services
Mpls ServicesKristof De Brouwer
 
MPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteMPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteBruno Decraene
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
 

Más contenido relacionado

La actualidad más candente

Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksAPNIC
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
Spanning Tree Protocol
Spanning Tree ProtocolSpanning Tree Protocol
Spanning Tree ProtocolManoj Gharate
 
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtJuniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtNam Nguyen
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliFebrian ‎
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Transition ipv4-ipv6
Transition ipv4-ipv6Transition ipv4-ipv6
Transition ipv4-ipv6Arrow Djibio
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Cisco Canada
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Netgate
 
Openstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNsOpenstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNsThomas Morin
 
4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)medalaa
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Febrian ‎
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
MPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteMPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteBruno Decraene
 

La actualidad más candente (20)

Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
 
Spanning Tree Protocol
Spanning Tree ProtocolSpanning Tree Protocol
Spanning Tree Protocol
 
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtJuniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by Soricelli
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
Transition ipv4-ipv6
Transition ipv4-ipv6Transition ipv4-ipv6
Transition ipv4-ipv6
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
 
9534715
95347159534715
9534715
 
Openstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNsOpenstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNs
 
4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routing
 
LTM essentials
LTM essentialsLTM essentials
LTM essentials
 
Mpls
MplsMpls
Mpls
 
Mpls Services
Mpls ServicesMpls Services
Mpls Services
 
MPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRouteMPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
MPLS WC 2014 Segment Routing TI-LFA Fast ReRoute
 

Destacado

redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flPavel Odintsov
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersPavel Odintsov
 

Destacado (8)

redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Janog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka IshizakiJanog 39: speech about FastNetMon by Yutaka Ishizaki
Janog 39: speech about FastNetMon by Yutaka Ishizaki
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
Lekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_flLekker weer nlnog_nlnog_ddos_fl
Lekker weer nlnog_nlnog_ddos_fl
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routersLekker weer nlnog_how_to_avoid_buying_expensive_routers
Lekker weer nlnog_how_to_avoid_buying_expensive_routers
 

Similar a BGP Flow Spec for Traffic Filtering

TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
Analyzing and optimizing mpls technology at Reliance Jio
Analyzing and optimizing mpls technology at Reliance JioAnalyzing and optimizing mpls technology at Reliance Jio
Analyzing and optimizing mpls technology at Reliance JioTusharSaxena53
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
Final Presentation on the Network layer
Final Presentation on the Network layerFinal Presentation on the Network layer
Final Presentation on the Network layerZee Haak
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPOlivier Bonaventure
 
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet MulticastingNP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicastinghamsa nandhini
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGPNP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGPhamsa nandhini
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IPPiero Fraternali
 
Netscreen Policy Based Routing
Netscreen Policy Based RoutingNetscreen Policy Based Routing
Netscreen Policy Based RoutingBart Jansens
 
RouteFlow & IXPs
RouteFlow & IXPsRouteFlow & IXPs
RouteFlow & IXPsnvirters
 
17.) layer 3 (advanced tcp ip routing)
17.) layer 3 (advanced tcp ip routing)17.) layer 3 (advanced tcp ip routing)
17.) layer 3 (advanced tcp ip routing)Jeff Green
 
ConfigureTwo networks principle
ConfigureTwo networks principleConfigureTwo networks principle
ConfigureTwo networks principleDrAlneami
 

Similar a BGP Flow Spec for Traffic Filtering (20)

CCNP Route
CCNP Route CCNP Route
CCNP Route
 
EIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NATEIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NAT
 
Chapter13
Chapter13Chapter13
Chapter13
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
Analyzing and optimizing mpls technology at Reliance Jio
Analyzing and optimizing mpls technology at Reliance JioAnalyzing and optimizing mpls technology at Reliance Jio
Analyzing and optimizing mpls technology at Reliance Jio
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Final Presentation on the Network layer
Final Presentation on the Network layerFinal Presentation on the Network layer
Final Presentation on the Network layer
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGP
 
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet MulticastingNP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Dik acn presentation
Dik acn presentationDik acn presentation
Dik acn presentation
 
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGPNP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
 
Web technologies: recap on TCP-IP
Web technologies: recap on TCP-IPWeb technologies: recap on TCP-IP
Web technologies: recap on TCP-IP
 
Netscreen Policy Based Routing
Netscreen Policy Based RoutingNetscreen Policy Based Routing
Netscreen Policy Based Routing
 
RouteFlow & IXPs
RouteFlow & IXPsRouteFlow & IXPs
RouteFlow & IXPs
 
17.) layer 3 (advanced tcp ip routing)
17.) layer 3 (advanced tcp ip routing)17.) layer 3 (advanced tcp ip routing)
17.) layer 3 (advanced tcp ip routing)
 
Wrou01
Wrou01Wrou01
Wrou01
 
ConfigureTwo networks principle
ConfigureTwo networks principleConfigureTwo networks principle
ConfigureTwo networks principle
 

BGP Flow Spec for Traffic Filtering

  • 1. BGP Flow Spec Using BGP to Disseminate Flow Specification Rules for Traffic Filtering Applications Stefan Fouant ShortestPathFirst Consulting Services www.shortestpathfirst.com
  • 2. BGP Flow Specification Overview • Recently standardized in RFC 5575, entitled “Dissemination of Flow Specification Rules” » http://tools.ietf.org/html/rfc5575 • Defines a method for the originator of a BGP NLRI to define and advertise a flow filter to its upstream BGP peers via BGP • Multi vendor support » Supported code on Juniper, Arbor, and others • Authors: » Danny McPherson (Arbor) » Pedro Marques (Juniper) » Nischal Sheth (Juniper) » Robert Raszuk (Juniper) » Barry Greene (Juniper) » Jared Mauch (NTT/Verio) ShortestPathFirst Consulting Services www.shortestpathfirst.net
  • 3. What is Flow Specification • Flow Specification defines a method and apparatus whereby traffic flow specifications can be distributed using a new BGP NLRI encoding format • Primary and immediate motivation is to provide intra and inter provider distribution of traffic filtering rules to filter DoS and DDoS attacks • Requires a new address family for BGP » NLRI type (AFI=1, SAFI=133) for Unicast traffic filtering applications » NLRI type (AFI=1, SAFI=134) for BGP/MPLS VPN environments » This also means that routers MUST use BGP’s Capability Advertisement facility in order to exchange the Multiprotocol Extension Capability Code as defined in RFC4760 “Multiprotocol Extensions for BGP-4” • A flow specification is a set of data (represented in an n-tuple) consisting of several matching criteria that can be applied to IP packet data • A flow specification received from an peer will need to be validated against the unicast routing before being accepted ShortestPathFirst Consulting Services www.shortestpathfirst.net
  • 4. Flow Specification Motivations • Question: What is the primary tool used today in Service Provider networks to deal with DoS and DDoS attacks? • Question: Are there any drawbacks to this approach? ShortestPathFirst Consulting Services www.shortestpathfirst.net
  • 5. Flow Specification Motivations • The most commonly used Service Provider security tool used today in order to deal with DDoS attack is to use BGP to redirect traffic to a discard interface (otherwise known as Remote Triggered Black Hole (RTBF)) • As such, using BGP to trigger security policy has been the de facto standard for some time » The drawback to this approach is that only destination prefixes may be specified » Furthermore, filtering information is intermingled with routing information • Flow spec addresses these limitations by allowing for specific NLRI to be defined which may convey additional information about traffic filtering rules for traffic that should be discarded • Since a new address family is defined, filtering information is now separated from the routing information (and in fact this information is kept in a separate RIB) • Provides a tool for Network Operators to quickly react to DDOS attacks, saving valuable time between identification of attack and implementation of various remediation schemes ShortestPathFirst Consulting Services www.shortestpathfirst.net
  • 6. Flow Specification NLRI • A Flow Specification NLRI is defined which may include several components in order to identify particular flows • The NLRI field of the MP_REACH_NLRI and MP_UNREACH_NLRI is encoded as a 1 or 2 octet NLRI length field followed by a variable length NLRI value. The NLRI length is expressed in octets +------------------------------+ | length (0xnn or 0xfn nn) | +------------------------------+ | NLRI value (variable) | +------------------------------+ • Type 1 - Destination Prefix • Type 7 - ICMP Type » Match on Destination IP Prefix » Match on type fields of an ICMP packet • Type 2 - Source Prefix • Type 8 – ICMP Code » Match on Source IP Prefix » Match on code fields of an ICMP packet • Type 3 - IP Protocol • Type 9 - TCP flags » Match on IP protocol value in IP packets » Match on various TCP flags • Type 4 – Port • Type 10 - Packet length » Match on source OR destination TCP/UDP ports » Match on IP Packet length, excluding the L2 • Type 5 – Destination Port headers » Match on destination TCP/UDP ports • Type 11 - DSCP • Type 6 - Source Port » Match IP TOS octet » Match on source TCP/UDP ports • Type 12 - Fragment Encoding » Match DF bit, First Fragment, Last Fragment, etc. ShortestPathFirst Consulting Services www.shortestpathfirst.net
  • 7. Validation Procedure • Need to validate the NLRI received in order to prevent spoofing and to eliminate any concern that the mechanism represents a Denial of Service in and of itself • A flow specification NLRI must be validated such that it is considered feasible if and only if: » a) The "originator" of the flow specification matches the "originator" of the best match unicast route for the destination prefix embedded in the flow specification » b) There are no more-specific unicast routes, when compared with the flow destination prefix, that have been received from a different neighboring AS than the best-match unicast route, which has been determined in step a) • The underlying concept is that the neighboring AS that advertise the best unicast route for a destination is allowed to advertise flow-spec information that conveys a more or equally specific destination prefix • As long as traffic filtering rules are restricted to match the corresponding unicast routing paths for the relevant prefixes, the security characteristics of this proposal are equivalent to the existing security properties of BGP unicast routing ShortestPathFirst Consulting Services www.shortestpathfirst.net
  • 8. Traffic Filtering Actions • Several BGP extended community values have been standardized to define the minimum set of filtering actions required in a typical flow- spec application: » Traffic-Rate extended community – most likely used for policing applications, units expressed in bytes per second » Traffic-Action extended community − Terminal action (bit 0) – indicate that subsequent filtering rules be applied, or not − Sampling (bit 1) – enable traffic sampling and logging for this flow » Redirect extended community – allows for the traffic to be redirected to a VRF routing instance for further processing • Although these extended communities have been defined, it is expected that each unique implementation will utilize arbitrary community values for various filtering actions, as heterogeneous networks and disparate vendors make it difficult to standardize on such behavior ShortestPathFirst Consulting Services www.shortestpathfirst.net
  • 9. Open Forum Discussion • Future and evolution of BGP Flow Spec • Applicability to the the current network infrastructure » Use internally to control internal routers » Use externally to control upstream ISP routers • Which ISPs are currently supporting BGP Flow Spec or are currently beginning technology rollouts? • Gaining widespread acceptance within the community and engaging ISPs to begin implementation • Other areas of concern » TIDP vs. BGP Flow Spec − Flow Spec for Inter-AS and TIDP for Intra-AS? » IPFIX, Netflow v9, Flexible Netflow − How will these developments change the state of the art in networks? ShortestPathFirst Consulting Services www.shortestpathfirst.net
  • 10. Questions? ShortestPathFirst Consulting Services www.shortestpathfirst.net