Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] BGP Flowspec guidance

Subject: Internet2 Network Security SIG

List archive

[Security-WG] BGP Flowspec guidance


Chronological Thread 
  • From: Karl Newell <>
  • To: "" <>
  • Subject: [Security-WG] BGP Flowspec guidance
  • Date: Wed, 23 May 2018 16:13:43 +0000
  • Accept-language: en-US
  • Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
  • Ironport-phdr: 9a23:sYJukRPV/c5X9Kkx2zIl6mtUPXoX/o7sNwtQ0KIMzox0I/7+rarrMEGX3/hxlliBBdydt6ofzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlGiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhSkHKTA37X3XhMJzgqJavB2uqAdyzJTIbIGQLvdyYr/RcNEcSGFcXshRTStBAoakYoUKFeUBJ+JYpJTlqVQQoxqxGw2sBOfywTJPhX/227M10uo/HgHC2AwtBNMOsHLIrNrrLqcSV/66zLXWwTnZcfxZxCr95ZHOfxs8ov+MRap9fdTMxUQuDQ/IgEucpZb4Mz6WyugBqXWX4up4We6ximMrtxx9rz2yysovhITEg40Yx1/H+CllxYs5O8O3R1VlbdOhCpRcqy6XOoVzT84tQWxnpCI3x7gctpO7cyUKxpEqyh/CZ/GGd4WE+hzjW/iSLDtkgX9ofb2yiwuz/ES8z+DwSMe530xLoydAktTAq2wC2wHW58iJVPdy4lyu1DCS3A7J8O5EO1o7la/DJp4h3LEwkp0TvFzbECLqn0v6kLGaelw59Oaw9ujre7LmqYSCOINujQH+L7gulde4AeQlNAgBQnKX+fym1L3k4U32XqlFjuE3kqnetpDWP8MbprOlAw9R1YYj7BW/Ay2639QfmHkLNFNFeBSZgIj1I1zCPu30APalj1mijjtn3e3KM779DpnXM3TOkK/tfbNn5E5dzAozw8pf55VRCrwZI/LzXFH+tdLGAR89Nwy52OfnCNNh1owAQ2KPBLGWML/MvVOS+O0gPvSMaJcPuDnhM/gl++LujXghlF8GY6amwYYXaGq5HvR6I0SVeHTtgtgaHGcOvwo+V/DqiEacXTJJZnayWb486S8hCIKgE4jDWp6hjKaf0yimA50FLlxBXxqXHHz1bYSYSrITZwqTJNNsiDoJSeLnRoM8n1n6rwLx1qBmMvuR5SIwtJT/2cJz6vGJ0xw+6GonId6a1jSuRntw1kUFWDIy2Ogrokpw1VqH1YB5heBVD9pe+6kPXwsnY82Ph9dmAsz/D1qSNuyCT0yrF42r
  • Spamdiagnosticoutput: 1:0

As we make progress on our BGP flowspec testing and pilot, we’ll periodically ask this group for some guidance.  Our first question is related to BGP session/family establishment. 

 

Our preference is to add the flow family to our existing BGP sessions, so we can rely on flowspec validation (requires flowspec routes to align with best unicast routes).  We would like to set a peer max-prefix limit on the flow family; there is a maximum number of flowspec routes supported on the Juniper MX960.  If we use the existing BGP session, exceeding the flow max-prefix will tear down the session which tears down the unicast family as well.

 

One alternative is to use a separate session for flowspec.  We’ll need to disable flowspec validation and rely on peer prefix lists.

 

Options:

  1. Use the existing BGP session, enable the flow family
    1. Use a max-prefix limit such that normal behavior shouldn’t trip the threshold (caveat: we don’t know what normal behavior is) – maybe 100 flowspec routes?

                                                               i.      Clearly communicate max-prefix limit and its implications (possible unicast teardown)

                                                             ii.      Configure a limit without a teardown but a peer could send an excessive amount of flowspec routes

  1. Set up a new BGP session and disable flowspec validation
    1. Use existing peer prefix lists for validation

Thoughts, comments, questions?

Cheers,

Karl

 

--

Karl Newell

Cyberinfrastructure Security Engineer

Internet2

520-344-0459

 


Archive powered by MHonArc 2.6.19.

Top of Page