bgp flowspec - senki · bgp flowspec • use bgp to distribute flow specification filter and...
TRANSCRIPT
![Page 1: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/1.jpg)
BGP Flowspec April 2008
![Page 2: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/2.jpg)
2
Agenda
• The problem • What is Flowspec? • Components • Validation • What can we do with it? • Junos Configuration
![Page 3: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/3.jpg)
3
The problem
• Service Providers are being driven to detect and mitigate denial of service attacks destined towards key customers – Stop bad traffic from reaching customer
• Service Providers also want to – Stop bad traffic consuming resources on expensive
transit links – Be able to position as a value add to customer
![Page 4: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/4.jpg)
4
Layered solution
• CPE protection – Customer has UTM/DI/IDP – Granular inspection of every packet
• Provider upstream edge detection/blocking – Analysis of flow information – Dynamic filters applied to rate limit, block or redirect
specific attack traffic – Eliminate human error or delay associated with
traditional access list mitigation • Centralised cleaning solution
– Value add for customer that doesn’t have deep inspection capability
– Forensic analysis / packet capture
![Page 5: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/5.jpg)
5
BGP Flowspec
• Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family – Use extended communities to specify action (accept,
discard, rate-limit, sample, redirect) – Match on a combination of source/dest prefix, source/
dest port, ICMP type/code, pack size, DSCP, TCP flag, fragment encoding etc.
![Page 6: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/6.jpg)
6
What is BGP Flow-Spec
• RFC 5575 - Dissemination of Flow Specification Rules
• Defines a method for the originator of a BGP NLRI to define and advertise a flow filter to its peers via BGP.
• Multi vendor support • Co-authored with Cisco, Arbor, NTT/Verio
• Authors: – Jared Mauch – Danny McPherson – Robert Raszuk – Barry Greene – Pedro Marques – Nischal Sheth
![Page 7: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/7.jpg)
7
What is BGP Flow-Spec
• Defines a way to carry “flow” in BGP – New Address family for BGP
• NLRI type (afi=1, safi=133 )
• Defines operations to perform on flows – Sends an “action” in a BGP Update
• Defines a Model for Validation
Address family identifier / sub address family indicator
![Page 8: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/8.jpg)
8
Component Types
• T1 Destination Address • T2 Source Address • T3 IP Protocol • T4 Port ( source or dest ) • T5 Destination port • T6 Source Port • T7 ICMP type • T8 ICMP code • T9 TCP flags • T10 Packet length • T11 DSCP • T12 Fragment Encoding
![Page 9: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/9.jpg)
9
Actions
• Carried as extended BGP communities • Type 0x8006 Traffic-Rate • Type 0x8007 Traffic-Action
– Bit 0 Action set to “action or not “ ( filter or not ) – Bit 1 Sample log the packets
• Type 0x8008 Redirect – Send traffic to another VRF for collection
![Page 10: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/10.jpg)
10
Flow Validation
• Need to validate by default to prevent spoofing
• Rules
a) The "originator" of a flow route matches the "originator" of the best match unicast route for the destination address that is embedded in the route.
b) There are no more-specific unicast routes, when
compared to destination address of the flow route, for which the active route has been received from a different next-hop autonomous-system.
![Page 11: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/11.jpg)
11
Disabling Validation
• Validate against a policy family inet { flow {
no-validate <policy>; "Validation procedure is skipped for routes that match this policy";
} }
![Page 12: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/12.jpg)
12
What can we do with it
• Allows Customers to set their own firewalls on SP core. – Validation rules will avoid spoofing of flow NLRI
• Provides a tool for the NOC to quickly react to DDOS attacks.
![Page 13: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/13.jpg)
13
NOC
“Help” I’m being attacked
NOC might connect to each router
and add filter
Distributed DOS attack In the “old” days
![Page 14: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/14.jpg)
14
The General Concept – micro view
• CPE can now react to a DOS attack
IP flow
BGP route 10/24 Flow route 10.1.1.1/32 Rate-limit
10/24 IP flow IP flow
SP Router Validates
FLOW and Adds FW
SP CPE
“Help” I’m being attacked
ZERO SP Provisioning
![Page 15: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/15.jpg)
15
Data out of router Flow ( Arbor ) Mirror ( IDP )
Analysis Flow analysis IDP inspection
vector Process False positive?
Flow route
Firewall Config push
Very small but convenient way to distribute flow
In model for monitoring, flow is small part of picture
![Page 16: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/16.jpg)
16
IDP/NOC
Help I’m being attacked
Adds FLOW route to the routing table
And exports the flow VIA BGP to
SP router
Flow NLRI
Distributed DOS attack CPE Controlled
![Page 17: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/17.jpg)
17
Comparisons with current filtering methods
• Many SP’s already use prefix based filters – Match on community – Set next-hop discard – ONLY works for destination prefix
• Flow adds granularity to this – Match on components
• SA / DA / Proto / length.. – Don’t have to discard
• Rate limit • Sample • Forwarding-class
![Page 18: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/18.jpg)
18
Configuration Options Define FLOW
routing-options { flow {
route <name> { match { destination; source ; protocol ; port ; destination-port ; source-port ; icmp-code ; icmp-type ; tcp-flags ; packet-length ; dscp ; fragment [ dont-fragment not-a-fragment is-fragment first-fragment last-fragment ] }
then { accept; discard; next-term; rate-limit; sample; routing-instance; } }
} } [edit protocols bgp] group <name> { family inet flow; neighbor <a.b.c.d> {
family inet flow; } }
![Page 19: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/19.jpg)
19
Configuration Example Routing Options
• Define Flow routes
routing-options { flow { route filter { match destination 192.168.21.0/24; then { community test; rate-limit 32k; } } } }
![Page 20: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/20.jpg)
20
Configuration example BGP
• Add family flow to BGP peers
Protocols { bgp { group int { type internal; local-address 20.2.2.2; family inet { unicast; flow; <<< } neighbor 20.3.3.3; }
![Page 21: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/21.jpg)
21
Configuration example
• Define Non-Validation
show protocols bgp group int { type internal; local-address 20.3.3.3; family inet { unicast; flow { no-validate test; } } neighbor 20.2.2.2; }
![Page 22: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/22.jpg)
22
Diagnostics
• show route receive-protocol bgp • Shows received NLRI
• show route advertising-protocol bgp • Shows advertised NLRI
• show route flow • show active flow routes
• show route table inetflow.0 • Shows actual defined flow routes ( from routing options )
• show firewall • Shows installed flow filters and counters
![Page 23: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/23.jpg)
23
Show Firewall
lab@Darstardly-re0# run show firewall Counters: Name Bytes Packets 192.168.21/24,* 28672 112 Policers: Name Packets 192.168.21/24,* 112 [edit] lab@Darstardly-re0#
![Page 24: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/24.jpg)
24
Who’s using it
• Internet 2 • TimeWarner • others looking into it
– Dozens !
Big Motivation is VoIP
![Page 25: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/25.jpg)
25
Common questions
• Spoofing – Validation will prevent this
• Why BGP – Its there
• What's stopped auto configuration efforts in the past? – AS boundaries – NO tools that work
• Configure >100 routers in seconds “Danny McPherson”
![Page 26: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/26.jpg)
26
Arbor BGP flowspec integration
![Page 27: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/27.jpg)
27
Things to think about…
• Propagation of filters to SP peers? • Use in lawful intercept?
![Page 28: BGP Flowspec - SENKI · BGP Flowspec • Use BGP to distribute flow specification filter and dynamically filter on routers – Introduced in Junos 7.2 – New BGP NLRI address family](https://reader031.vdocument.in/reader031/viewer/2022021602/5c92359f09d3f26a458c0bd2/html5/thumbnails/28.jpg)
28
References
• http://www.nanog.org/mtg-0610/lozano.html • http://tools.ietf.org/id/draft-marques-idr-flow-
spec-04.txt • http://www.ietf.org/proceedings/07jul/slides/
idr-0.pdf