BGP Flowspec Introduction and Configuration

BGP Flow Specification Introduction and Configuration
1．BGP FS Requirements Background

The BGP Flow Specification function is a method to prevent DoS and DDoS attacks. By
deploying BGP FS, network security and availability can be improved.
As we know, DoS/DDoS attacks are major threat to network security. DoS/DDoS attackers
use illegal means to control thousands of attack devices to initiate traffic attacks on the same
destination address, network segment, or server at the same time, resulting in network
congestion or high CPU usage of the server to refuse services.
There are two traditional methods for preventing DoS/DDoS attacks: traffic classification
technology and redirection of attack traffic. However, these two methods have flaws:
 Traditional methods can not guarantee the real-time defense attack and need to coordinate
between multiple network service providers to identify the source of the attack.
 The matching condition of traffic filtering is single, that is, filtering can only be performed
through the destination IP address.
 Maintenance work is difficult and you need to manually modify the traffic filtering policy.
The BGP Flow Specification can solve the deficiencies of the above methods.
 The BGP network layer reachability information type defined in RFC5575 is used to deliver
traffic filtering information. Therefore, routing information and traffic filtering information
exist independently.
 Provides rich filtering conditions and processing actions to achieve more targeted traffic
control.
2．BGP FS Introduction
2.1 BGP FS Basic Concepts

The BGP Flow Specification function can do different actions for the attack traffic according
to the traffic policy receiving from the BGP Flow Specification peers. The BGP Flow Specification
features include the following basic concepts:
1) BGP Flow Specification Routes: RFC5575 defines a BGP Flow Specification route. This route
contains a new type of BGP network layer reachability information type and extended
community attributes. With this new BGP route type, BGP Flow Specification routes can
carry traffic matching conditions and actions performed after traffic matching.
2) BGP Flow Specification Peer Relationship: the peer relationship is established between the
device that creates the BGP Flow Specification route and the network ingress device. It is
used to transfer BGP Flow Specification routes. After the BGP Flow Specification peer
receives the BGP Flow Specification route, it converts the preferred route into a traffic
control policy at the forwarding layer to achieve the purpose of controlling the attack traffic.
2.2 BGP FS Description

The traditional route is originally designed for traffic forwarding. The routing table entry
<以上所有信息均为中兴通讯股份有限公司所有，不得外传> 第 1页
All Rights reserved, No Spreading abroad without Permission of ZTE
contains only the prefix mask information and traffic outbound interface information for
matching the destination address. with the needs of network service development (such as
anti-DDOS attack, traffic engineering) and supporting for traffic policies (such as: static policy
routing, etc.), network requires forward routing table entries can subdivide the data stream, not
limited to match the data stream based on the destination address, also including the source
address, ip protocol number, port number, etc.
The action for different flows is not only limited to forward traffic from an outgoing interface,
but also includes actions such as rate limiting, dropping, and redirection. However, the biggest
limitation of policy routing is that it belongs to the local behavior and needs to be configured on a
device by device basis. The maintenance workload is large, and the policy cannot be transmitted
on the network, and remote control cannot be implemented.
A BGP Flow Specification peer is established under the new address family ipv4 flowspec or
vpnv4 flowspec to advertise BGP Flow Specification routes. This BGP Flow Specification route
contains a new type of BGP network layer reachability information type and extended
community attributes. With this new feature, BGP Flow Specification routes can carry traffic
matching conditions and actions performed after traffic matching.
The traffic matching conditions that the BGP Flow Specification route can carry are as
follows:
(1) Destination address and source address
(2) IP protocol number
(3) Port number, including destination port number and source port number
(4) ICMP type and coding
(5) TCP flag
(6) DSCP value
(7) Segment types
The traffic behavior carried by the extended community attribute of the BGP Flow Specification
route is as follows:
(1) Discard traffic
(2) Flow rate limit
(3) Modify the DSCP value of the packet
(4) Redirect to VPN
The specific working process of the BGP Flow Specification function includes the following steps:
1) Network entry device sends traffic samples to the traffic analysis server.
2) When a traffic attack occurs, the traffic analysis server detects traffic sampling samples
according to predefined rules and identifies abnormal traffic.
3) The traffic analysis server creates a BGP Flow Specification route according to the
characteristics of the abnormal traffic, and then passes the BGP Flow Specification route to
pass the traffic filtering rule to the network entry device.
4) After receiving the BGP Flow Specification route, network entry translates the route into a
traffic control policy to control traffic matching rules.
3．BGP FS Configuration
Take following topology for example：

As 1 As 2
R1 R2
3.1 Establish IPv4 FS Neighbor
Configuration steps：
3.1.1 QOS configuration on R1:

ZXR10(config)#show running-config hqos
!<hqos>
class-map classmapzte flowspec-based
match ipv4 destination-address 192.168.100.1 255.255.255.255
match ipv4 source-address 0.0.0.0 0.0.0.0
match ipv4 dscp range not 30
match ipv4 icmp-code 10-20,30-40
match ipv4 icmp-type 100
match destination-port 10-20
match source-port 30-800
match fragment-type all is-fragment
match tcp-flag not any ack
match packet-length 10000
match protocol range 220
$
policy-map policymapzte flowspec-based
class classmapzte
redirect next-hop ip-address 1.2.3.4
$
$
flowspec
address-family vrf zterosngroutebgp ipv4
service-policy policymapzte
$
$
3.1.2 Establish IPv4 flowspec neighbor between R1 and R2

Step1：Configuration on R1：
ZXR10(config-bgp)#show running-config bgp
!<bgp>
router bgp 1
neighbor 10.20.1.2 remote-as 1
neighbor 10.20.1.2 activate
address-family ipv4 flowspec
Step2：Configuration on R2：
!<bgp>
router bgp 2
3.1.3 Configuration Display

1. View configuration on R1 and negotiation with R2:
ZXR10(config-bgp)#show bgp ipv4 flowspec neighbor 10.20.1.2
BGP neighbor is 10.20.1.2, remote AS 2, external link
BGP version 4, remote router ID 10.20.1.2
BGP state = Established, up for 00:01:08
Hold time is 180 seconds, keepalive interval is 60 seconds
Transport(tcp) path-mtu-discovery is disabled
Transport(tcp) maximum segment size is not set
Neighbor capabilities:
Route refresh: advertised and received
New ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Address family IPv4 Flowspec: advertised and received
...
For address family: IPv4 Flowspec
Weight is 0
All received nlri 0, unnlri 0, 0 accepted prefixes, 0 deleting prefixes
All sent nlri 0, unnlri 0, 0 advertised prefixes, advertised prefixes limit 4294
967295
Maximum limit 4294967295
Threshold for warning message 75%
Destination address validation: Enable
Redirect nexthop validation: Enable
…
2. Check routes sending entries on R1:
ZXR10(config)#show bgp ipv4 flowspec
Status codes: * valid, > best, i - internal, s - stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network codes: [ ] - index
Network Next Hop Metric LocPrf RtPrf Path
*> [1]Dest:192.168.100.1/32,Source:0.0.0.0/0,Proto:=220,DPort:>=10&<=20,SPort:
>=30&<=800,ICMPType:=100,ICMPCode:>=10&<=20|>=30&<=40,TCPFlags:!=~0x10,Length:=1
0000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
0.0.0.0 0 i
ZXR10(config)#show bgp ipv4 flowspec neighbor out 10.20.1.2

Routes Sent To This Neighbor:
Network Next Hop Metric LocPrf Path
[1]Dest:192.168.100.1/32,Source:0.0.0.0/0,Proto:=220,DPort:>=10&<=20,SPort:>=30&
<=800,ICMPType:=100,ICMPCode:>=10&<=20|>=30&<=40,TCPFlags:!=~0x10,Length:=10000,
DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
0.0.0.0 i
3. Check the routes reception on R2：
ZXR10(config)#show bgp ipv4 flowspec neighbor in 10.20.1.1
Routes Learned From This Neighbor:
0000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
0.0.0.0 20 1i
3.2 Destination Address Filtering Rules
Configuration as 3.1, Checking validity of filtering rules based on destination address
3.2.1 Viewing Information on R2

1. Viewing Neighbor Information on R2:
ZXR10(config)#show bgp ipv4 flowspec neighbor 10.20.1.1
…
Weight is 0
967295
…
2. View flowspec routing information on R2, the route is invalid:
ZXR10(config)#sho bgp ipv4 flowspec detail 1
BGP routing table entry for Index 1
NLRI(Hex dump) : 0x0120c0a8640102000381dc05030ac51406031ed5032007816408030a45140
31ec5280982100a9127100b0300451d031fc53f0c8102
FLOW : Dest:192.168.100.1/32,Source:0.0.0.0/0,Proto:=220,DPort:>=10&<=20,SPort:>
=30&<=800,ICMPType:=100,ICMPCode:>=10&<=20|>=30&<=40,TCPFlags:!=~0x10,Length:=10
000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
06:43:28 received from 10.20.1.1 (10.20.1.1), path-id 0
Origin i, nexthop 1.2.3.4,weight 0, rtpref 20, best, block best, selected,
As path [1]
As4 path
Flowspec Actions: Redirect-to-IP: 1.2.3.4,
Invalid due to fail to validate destination
3.2.2 Filtering Function Configuration

Configure the destination address filtering function on R2 and check the neighbor information
and received routing information:
1. Configuration on R2:
!<bgp>
neighbor 10.20.1.1 validation-disable destination
2. View neighbor information on R2:
…
Weight is 0
967295
Destination address validation: Disable
…
3. View the flowspec routing information on R2. The route is valid:
ZXR10(config-bgp-af-ipv4-flowspec)#sho bgp ipv4 flowspec detail 1
31ec5280982100a9127100b0300451d031fc53f0c8102
000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
As path [1]
As4 path
Advertised to UpdateGroup Index: 3
Origin i,
As path(no filter) [2 1]
As4 path(no filter)
3.2.3 Filter Function Enable and Route Advertise

The destination address filtering function is enabled on R2, and R1 configures the bgp route
192.168.100.1/32 and advertises it to R2.
1. Check the routing table on R2:
ZXR10(config)#sho ip protocol routing
Heads: Dest = Destination, Prf\RoutePrf = Router preference,
Metric\RouteMetric = Router metric
Codes: OSPF-3D = ospf-type3-discard, OSPF-5D = ospf-type5-discard, TE = rsvpte,
OSPF-7D = ospf-type7-discard, USER-I = user-ipaddr, RIP-D = rip-discard,
OSPF-E = ospf-ext, ASBR-V = asbr-vpn, GW-FWD = ps-busi, GW-UE = ps-user,
BGP-AD = bgp-aggr-discard, BGP-CE = bgp-confed-ext, NAT64 = sl-nat64-v4,
USER-N = user-network, USER-S = user-special, DHCP-S = dhcp-static,
DHCP-D = dhcp-dft, VES = video-enhanced-service
Marks: *valid, >best, s-stale
Dest NextHop RoutePrf RouteMetric Protocol
*> 10.20.1.0/24 10.20.1.2 0 0 Direct
*> 10.20.1.2/32 10.20.1.2 0 0 Address
*> 192.168.100.1/32 10.20.1.1 200 0 BGP- EXT

…
Weight is 0
967295
3. View flowspec routing information on R2, the route is valid:

31ec5280982100a9127100b0300451d031fc53f0c8102
000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
As path [1]
As4 path
Origin i,
As4 path(no filter)
3.3 Redirection Rule
Checking the validity of the filtering rule based on the redirected next hop
3.3.1 Configuration on R1&R2

Configuration on R1:
!<bgp>
router bgp 1
Configuration on R1:
!<bgp>
router bgp 2
3.3.2 Configuration Display
Viewing neighbor information and received routing information on R2:
…
Weight is 0
967295
…
2. View flowspec routing information on R2. The route is valid but the corresponding
extcommunity attribute is not sent:
ZXR10(config)#sho bgp ipv4 flowspec detail 1
31ec5280982100a9127100b0300451d031fc53f0c8102
000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
As path [1]
As4 path
Failed to validate redirect nexthop
Origin i,
As4 path(no filter)
3.3.3 Configure Next Hop Redirection Filtering Disable

Configure next hop redirection filtering on R2 and check the neighbor information and received
routing information:
Configured on R2:
!<bgp>
neighbor 10.20.1.1 validation-disable redirect
…
Weight is 0
967295
Redirect nexthop validation: Disable
…
2. View flowspec routing information on R2. The route is valid and the corresponding
extcommunity attribute is sent:
31ec5280982100a9127100b0300451d031fc53f0c8102
000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
As path [1]
As4 path
Origin i,
As4 path(no filter)
3.3.4 Filter enable and Route Advertise

Enable redirected next-hop filtering on R2, and configure Bgp route 1.2.3.4/32 on R1 and
advertise it to R2.
1. Check the routing table on R2：
ZXR10(config)#sho ip protocol routing
Heads: Dest = Destination, Prf\RoutePrf = Router preference,
Metric\RouteMetric = Router metric
Codes: OSPF-3D = ospf-type3-discard, OSPF-5D = ospf-type5-discard, TE = rsvpte,
OSPF-7D = ospf-type7-discard, USER-I = user-ipaddr, RIP-D = rip-discard,
OSPF-E = ospf-ext, ASBR-V = asbr-vpn, GW-FWD = ps-busi, GW-UE = ps-user,
BGP-AD = bgp-aggr-discard, BGP-CE = bgp-confed-ext, NAT64 = sl-nat64-v4,
USER-N = user-network, USER-S = user-special, DHCP-S = dhcp-static,
DHCP-D = dhcp-dft, VES = video-enhanced-service
Marks: *valid, >best, s-stale
Dest NextHop RoutePrf RouteMetric Protocol
*> 1.2.3.4/32 10.20.1.1 20 0 BGP-EXT
*> 10.20.1.0/24 10.20.1.2 0 0 Direct
*> 10.20.1.2/32 10.20.1.2 0 0 Address
…
Weight is 0
967295
3. View flowspec routing information on R2. The route is valid and the corresponding
extcommunity attribute is sent:
31ec5280982100a9127100b0300451d031fc53f0c8102
000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
As path [1]
As4 path
Origin i,
As4 path(no filter)
3.4 Establish VPNv4 Flowspec Neighbors
1. Configure Qos on R1 as above
2. Configure the corresponding vrf on R1 and R2
Configured on R1:
ZXR10(config-bgp)#show running-config vrf
!<vrf>
ip vrf zterosngroutebgp
rd 197:137
route-target import 1:1
route-target export 1:1
address-family ipv4
$
address-family ipv6
$
$
!</vrf>
Configured on R2:
ZXR10(config-bgp)#show running-config vrf
!<vrf>
ip vrf zterosngroutebgp
rd 197:137
route-target import 1:1
route-target export 1:1
address-family ipv4
$
address-family ipv6
$
$
!</vrf>
3.4.1 Establish VPNv4 Flowspec Neighbors

Configured on R1:
!<bgp>
router bgp 1
address-family vpnv4 flowspec
Configured on R2：
!<bgp>
router bgp 2
address-family vpnv4 flowspec
3.4.2 Check Configuration Result:

1. View configuration on R1 and negotiation with R2 :
ZXR10(config-bgp)#show bgp vpnv4 flowspec neighbor 10.20.1.2
BGP neighbor is 10.20.1.2, remote AS 2, external link
BGP version 4, remote router ID 10.20.1.2
BGP state = Established, up for 00:01:08
Hold time is 180 seconds, keepalive interval is 60 seconds
Transport(tcp) path-mtu-discovery is disabled
Transport(tcp) maximum segment size is not set
Neighbor capabilities:
Route refresh: advertised and received
New ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Address family IPv4 Flowspec: advertised and received
Address family VPNv4 Flowspec: advertised and received
...
For address family: VPNv4 Flowspec
Weight is 0
967295
…
2. Check the route sending on R1:
ZXR10(config-bgp-af-vpnv4-flowspec)#show bgp vpnv4 flowspec
Route Distinguisher:197:137
0000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
0.0.0.0 0 i
ZXR10(config-bgp-af-vpnv4-flowspec)#show bgp vpnv4 flowspec neighbor out 10.20.1.2
Routes Sent To This Neighbor:
Network Next Hop Metric LocPrf Path
[1]Dest:192.168.100.1/32,Source:0.0.0.0/0,Proto:=220,DPort:>=10&<=20,SPort:>=30&
<=800,ICMPType:=100,ICMPCode:>=10&<=20|>=30&<=40,TCPFlags:!=~0x10,Length:=10000,
DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
0.0.0.0 i
3. Check the route reception on R2：
ZXR10(config-bgp)#show bgp vpnv4 flowspec neighbor in 10.20.1.1
Routes Learned From This Neighbor:
0000,DSCP:>=0&<=29|>=31&<=63,Frag:=IsF
0.0.0.0 20 1i

BGP Flowspec Introduction and Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BGP Flowspec Introduction and Configuration

Uploaded by

Copyright:

Available Formats

BGP Flow Specification Introduction and Configuration

1．BGP FS Requirements Background

2.1 BGP FS Basic Concepts

2.2 BGP FS Description

Take following topology for example：

3.1 Establish IPv4 FS Neighbor

3.1.1 QOS configuration on R1:

3.1.2 Establish IPv4 flowspec neighbor between R1 and R2

3.1.3 Configuration Display

ZXR10(config)#show bgp ipv4 flowspec neighbor out 10.20.1.2

3.2 Destination Address Filtering Rules

Configuration as 3.1, Checking validity of filtering rules based on destination address

3.2.1 Viewing Information on R2

3.2.2 Filtering Function Configuration

3.2.3 Filter Function Enable and Route Advertise

2. Viewing Neighbor Information on R2:

3. View flowspec routing information on R2, the route is valid:

3.3 Redirection Rule

3.3.1 Configuration on R1&R2

3.3.3 Configure Next Hop Redirection Filtering Disable

3.3.4 Filter enable and Route Advertise

3.4 Establish VPNv4 Flowspec Neighbors

1. Configure Qos on R1 as above

3.4.1 Establish VPNv4 Flowspec Neighbors

3.4.2 Check Configuration Result:

You might also like