Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] BGP Flowspec guidance

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] BGP Flowspec guidance


Chronological Thread 
  • From: "Garrett, Seth B" <>
  • To: "" <>, "" <>
  • Subject: Re: [Security-WG] BGP Flowspec guidance
  • Date: Wed, 23 May 2018 16:55:18 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:QtSfPRbmOobH/1awo+N5hE//LSx+4OfEezUN459isYplN5qZr8m8bnLW6fgltlLVR4KTs6sC17KN9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCazbL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjA57m/Zl9BwgqxYrhKvpRN/wpLbb46OOfVkYq/QZ8kXSXZdUspMUSFKH4Oyb5EID+oEJetUoYjzqEEUrRukGwasGP/vxidVjXHrw6I6z+QhGhzb0QAuAtkDt2/Uo876NKgIS+C11rfHzSnYYvNXxDfx8pbHfQ08ofyVW797bMnfyVE3Gg/YkFmdrZbpMjGR2+gXrmSX9fdsWOaghmI/tg18oyajyt0yhoXXh48Z0F/J+TljzIorKtC0UEB7bsCnHZdMsiyXMoR7Td88T2xpvSs3yqMKtoW1cSUPxpQqyRHSZOaCfoWM7BLvSOScLDFlj3x/Yr2/nQy98U24x+38SMa01FFKozJFktbWrHANyxnT5dKBSvdn40eh2CqP1xvJ5uFFJ0A7iKvbJIQnwrEqjJYcr1nMHjLulEX3iq+ZaFkk9/C15+j5ZrjqvJ2ROotuhg3jKKgih8iyDOsgPggLRWeb+OC81LP5/U3+RbVHluY2nbLWsJ/AP8QbvLC2AxNO34Yi9hazFSmp38kFnXUfNlJKZAqHj5T1O1HJOP34FumwjEixkDdxxvDGIr3gDozDL3jMi7rhebd961VAyAoo09xT/ZNUCrcdIP3tQE/xssLXDgMnPwCu3enoFch9hcsiXjfFGaKSLbnTrU7N+e0HIu+QaZUTtSqnbfUp+rSm2WQ0kkIHfLW4mIQYQHG+Avl8JUiFOzzhjspXVS9AtwU3SOjtoFKdTHhea2v4F/Y16Tg/DIWOApjeAI2hnerS8j28G8gcSWlcEF2QDTOgTIiYW78mImrGOcVumyYeWKSJSpJn2B2z4lypg4F7J/bZr3VL/ano08J4srXe

​To make it more compatible with a wider audience, a web based UI and API might be useful.  You could probably apply more controls to the requests via that also.  


Seth Garrett
Principal Network Systems Engineer
Indiana University

From: <> on behalf of Andrew Gallo <>
Sent: Wednesday, May 23, 2018 12:27 PM
To:
Subject: Re: [Security-WG] BGP Flowspec guidance
 
My first thought is that option 1 (adding family flow to the existing session) makes sense.

Question for the downstreams - how do you expect to add flow entries?  Manually via the CLI on your router?  Any plans to automate flow rule creation or integrate with something else (maybe Bro?) ?

Would option 2 be appropriate to integrate with something that isn't a router?  Would I2 be willing to consider something like this? 

Thanks


On Wed, May 23, 2018 at 9:13 AM, Karl Newell <> wrote:

As we make progress on our BGP flowspec testing and pilot, we’ll periodically ask this group for some guidance.  Our first question is related to BGP session/family establishment. 

 

Our preference is to add the flow family to our existing BGP sessions, so we can rely on flowspec validation (requires flowspec routes to align with best unicast routes).  We would like to set a peer max-prefix limit on the flow family; there is a maximum number of flowspec routes supported on the Juniper MX960.  If we use the existing BGP session, exceeding the flow max-prefix will tear down the session which tears down the unicast family as well.

 

One alternative is to use a separate session for flowspec.  We’ll need to disable flowspec validation and rely on peer prefix lists.

 

Options:

  1. Use the existing BGP session, enable the flow family
    1. Use a max-prefix limit such that normal behavior shouldn’t trip the threshold (caveat: we don’t know what normal behavior is) – maybe 100 flowspec routes?

                                                               i.      Clearly communicate max-prefix limit and its implications (possible unicast teardown)

                                                             ii.      Configure a limit without a teardown but a peer could send an excessive amount of flowspec routes

  1. Set up a new BGP session and disable flowspec validation
    1. Use existing peer prefix lists for validation

Thoughts, comments, questions?

Cheers,

Karl

 

--

Karl Newell

Cyberinfrastructure Security Engineer

Internet2

520-344-0459

 



Archive powered by MHonArc 2.6.19.

Top of Page