![Page 1: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/1.jpg)
Using BGP Flow-Spec for distributed micro-segmentation
Davide Pucci / 12019364
Attilla de Groot / Cumulus Networks
![Page 2: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/2.jpg)
Data Center micro-segmentation
2
Micro-segmentation
Apply custom security filtering within the same VLAN.
Layer 2 segmentation
VLANs to isolate multiple flows over the same link.
Layer 3 segmentation
VRFs to separate routing tables.
![Page 3: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/3.jpg)
Border Gateway Protocol (BGP)BGP is the de-facto Internet routing protocol.
Pulls intra-Autonomous System prefixes, relying on iBGP.
Exchanges these internal prefixes with neighbouring Autonomous Systems to enable proper routing, relying on eBGP.
3
AS #1
AS #3
1.0.0.0/8
AS #2
![Page 4: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/4.jpg)
BGP Flow Specification
4
RFC 5575
Dissemination of Flow Specification Rules
August 2009
Extension of BGP, born with the only aim of DDoS attacks mitigation.
The Flow-Spec controller spreads filtering policies to its neighbours, the clients.
Regulate actions against given prefixes with extended communities, relying on BGP for the diffusion.
![Page 5: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/5.jpg)
BGP in Data Centers
5
RFC 5575
Dissemination of Flow Specification Rules
RFC 7938
Use of BGP for Routing in Large-Scale Data Centers
August 2016
Third-wave applications moved most of the traffic to a east-west direction.
This change introduced the need of more elastic Data Centers.
All the switches represent a (private) Autonomous System.
![Page 6: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/6.jpg)
Is the BGP Flow Specificationapplicable for Data Center
micro-segmentation?
6
![Page 7: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/7.jpg)
Distributed micro-segmentation with Flow-Spec
7
route flow4 { src 2.0.0.1/32; dst 1.0.0.1/32;} { bgp_ext_community.add( (generic, 0x80060000, 0x0) );};
Flow Specificationcontroller
Flow Specificationclients
![Page 8: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/8.jpg)
Open source implementations
8
FRR for client capabilitiesBird for controller capabilities
as none of them implements routes injection over the underlying system
Custom utility for rules injection
![Page 9: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/9.jpg)
Open source implementations
9
FRR
Used to be unable to relay Flow-Spec announcements, later patched by working together with Cumulus Networks developers.
Bird
Starting from version 2.0,it correctly implements the whole Flow-Spec specification.
![Page 10: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/10.jpg)
Rules fetcher ~ iptables on the controller
10
fs-controller:~# iptables -L FORWARD
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 2.0.0.1 1.0.0.1
![Page 11: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/11.jpg)
Rules fetcher ~ Flow-Spec routes on Bird
11
# default policy
route flow4 { src 0.0.0.0/0; dst 0.0.0.0/0;} {
# traffic drop bgp_ext_community.add( (generic, 0x80060000, 0x0) );
};
# rule 1
route flow4 { src 2.0.0.1/32; dst 1.0.0.1/32;} {
# traffic-mark as rule number bgp_ext_community.add( (generic, 0x80090000, 0x1) );
};
![Page 12: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/12.jpg)
Rules transit
12
BIRDcontroller
FRRclients
BGP UPDATE
![Page 13: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/13.jpg)
Rules injector ~ Flow-Spec routes on FRR
13
fs-client# show bgp ipv4 flowspec detail json
{ "to":"1.0.0.1/32", "from":"2.0.0.1/32"},{ "ecomlist":"FS:marking 1"},{ "time":"00:00:09"}
{ "to":"0.0.0.0/0", "from":"0.0.0.0/0"},{ "ecomlist":"FS:rate 0.000000"},{ "time":"00:00:09"}
![Page 14: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/14.jpg)
Rules injector ~ iptables on the controller
14
fs-client:~# iptables -L FORWARDChain FORWARD (policy ACCEPT)num target prot opt source destination 1 FLOWSPEC all -- anywhere anywhere[...]
fs-client:~# iptables -L FLOWSPECChain FLOWSPEC (1 references)num target prot opt source destination 1 ACCEPT all -- 2.0.0.1 1.0.0.12 DROP all -- anywhere anywhere
![Page 15: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/15.jpg)
A. Rules numbering must be carried along with routes, preferably with own extended community sub-type
B. A proper implementation of routes injection in the underlying system is still missing
C. Rules application can be filtered at a BGP level, using the Route Target extended community to achieve higher scalability
15
Flow Specification is suitable for such a purpose
and
![Page 16: distributed micro-segmentation Using BGP Flow-Spec fordelaat/rp/2019-2020/p53/presentati… · BGP Flow Specification 4 RFC 5575 Dissemination of Flow Specification Rules August](https://reader035.vdocument.in/reader035/viewer/2022071217/604b4358b062ae4c692bd56d/html5/thumbnails/16.jpg)
Thank you.
16
Cumulus Networkshttps://cumulusnetworks.com
Security and Network Engineeringhttps://os3.nl
University of Amsterdamhttps://uva.nl
Davide Puccihttps://davidepucci.it