BGP FlowSpec (RFC 5575) route injector

Thomas Mangin thomas.mangin at exa-networks.co.uk
Wed Feb 3 19:06:16 UTC 2010 

Hi,

I juste added some preliminary support for FlowSpec (RFC5575) to my BGP route injector http://bgp.exa.org.uk/
As I am not aware of any other project allowing to inject flow route into a network, I am taking the liberty to plug it here.

You can access the SVN repository at: http:/svn.exa.org.uk/bgp/trunk/ the code is under a 3-clauses BSD licence.
More information about the installation are available on the wiki.

I performed basic testing by rate-limiting one of my coworkers mail and web flows - seems to work - for the rest, it may not do what it should.

If you are interested, have any questions, or are missing a feature, or just find any bugs, please, just let me know.

Changing the configuration and sighuping the application perform send the peers the correct update messages to change the peer RIB.
Or just enable graceful-restart and restart the application if you do not care about the number of update :p

More information:
- http://www.terena.org/activities/tf-ngn/tf-ngn17/uze-flowspec.pdf
- http://resources.nznog.org/2006/Friday-240306/DavidLambert-BGPFlowSpecificationUpdate/Lambert.ppt
- http://uknof.org/uknof15/Mangin-NakedBGP.pdf (another shameless selfplug - BGP overview - 3 slides on FlowSpec)

Thomas
--
Exa Networks Limited - http://www.exa-networks.co.uk/
Company No. 04922037 - VAT no. 829 1565 09
27-29 Mill Field Road, BD16 1PY, UK
Phone: +44 (0) 845 145 1234 - Fax: +44 (0) 1274 567646

---------

neighbor 82.219.123.221 {
     [....] 
     flow {
             route {
                     match {
                             source 10.0.0.1/32;
                             destination 192.168.0.1/32;
                             port =80;
                             destination-port =3128 >8080&<8088;
                             source-port >1024;
                             protocol tcp;
#                           protocol [ tcp udp ];
#                           packet-length >200&<300 >400&<500;
#                           fragment not-a-fragment;
#                           fragment [ first-fragment last-fragment ];
#                           icmp-type [ unreachable echo-request echo-reply ];
#                           icmp-code [ host-unreachable network-unreachable ];
#                           tcp-flags [ urgent rst ];
#                           dscp [ 10 20 ];

                     }
                     then {
                             discard;
#                           rate-limit 9600;
#                           redirect 65500:12345;
#                           redirect 1.2.3.4:5678;
                     }
             }
     }
}


thomas.mangin at m7i-4.u3.tcw.uk> show configuration logical-routers trap protocols bgp 
local-as 30740;
group flow {
 type external;
 multihop;
 local-preference 100;
 local-address 82.219.123.221;
 import no-export;
 export deny-all;
 peer-as 65500;
 neighbor 82.219.131.242 {
     traceoptions {
         file bgp;
         flag all;
     }
     family inet {
         unicast;
         flow {
             no-validate everything;
         }
     }
     family inet6 {
         unicast;
     }
 }
}

thomas.mangin at m7i-4.u3.tcw.uk> show configuration logical-routers trap policy-options policy-statement everything       
then accept;

# env PYTHONPATH=~/source/bgp/lib/ python daemon/bgpd etc/bgp/m7i-service.txt 
033 12:28:13      Supervisor/        performing reload
033 12:28:13      Supervisor/        New Peer 82.219.123.221
033 12:28:14    82.219.123.221/  30740 -> OPEN version=4 asn=65500 hold_time=180 router_id=82.219.131.242 capabilities=[Graceful Restart Flags 0x8 Time 5 IPv4/flow-ipv4=0x80 IPv4/unicast=0x80 IPv6/unicast=0x80, Multiprotocol IPv4 unicast IPv6 unicast IPv4 flow-ipv4]
033 12:28:15    82.219.123.221/  30740 <- OPEN version=4 asn=30740 hold_time=90 router_id=82.219.123.221 capabilities=[Cisco Route Refresh (unparsed), Multiprotocol IPv4 unicast IPv6 unicast IPv4 flow-ipv4, Route Refresh (unparsed)]
033 12:28:16    82.219.123.221/  30740 -> KEEPALIVE
033 12:28:17    82.219.123.221/  30740 <- KEEPALIVE
announcing     IPv6 unicast 2a02:b80:0:6:50::1/128 next-hop 2a02:b80::90:0:52e:0:1 med 100
announcing     IPv4 flow-ipv4 destination 192.168.0.1/32,source 10.0.0.1/32,protocol =TCP,port =80,destination-port =3128 >8080&<8088,source-port >1024 extended community [ 0x80 0x6 0x0 0x0 0x0 0x0 0x0 0x0 ]
announcing     IPv4 unicast 82.219.4.100/32 next-hop 82.219.4.101 med 100
033 12:28:17    82.219.123.221/  30740 -> UPDATE (3)
033 12:28:17    82.219.123.221/  30740 <- KEEPALIVE

thomas.mangin at m7i-4.u3.tcw.uk> show route logical-router trap table inetflow.0 extensive 

inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
192.168.0.1,10.0.0.1,proto=6,port=80,dstport=3128,>8080&<8088,srcport>1024/256 (1 entry, 0 announced)
     *BGP    Preference: 170/-101
             Next hop type: Fictitious
             Next-hop reference count: 1
             State: <Active Ext>
             Peer AS: 65500
             Age: 1:13 
             Task: BGP_65500_30740.82.219.131.242+32319
             AS path: 65500 I
             Communities: no-export traffic-rate:0:0
             Localpref: 100
             Router ID: 82.219.131.242

More information about the NANOG mailing list