Skip to Content.
Sympa Menu

netsec-sig - RE: [Security-WG] BGP Flowspec guidance

Subject: Internet2 Network Security SIG

List archive

RE: [Security-WG] BGP Flowspec guidance


Chronological Thread 
  • From: Michael Hare <>
  • To: "" <>
  • Subject: RE: [Security-WG] BGP Flowspec guidance
  • Date: Wed, 23 May 2018 18:02:35 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:HEGXGxxr/dRqRIXXCy+O+j09IxM/srCxBDY+r6Qd2+4eIJqq85mqBkHD//Il1AaPAd2Araocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HdbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHolikJKiI5/m/UhMx+jq1boQ6uqBNkzoHOfI2ZKOBzcr/Bcd4YQ2dKQ8ZfVzZGAoO5d4YBCOsBMvpYr4bnuVQOqQa1Cwu2C+P11DBDm3j73ag70+s9EQHJxhIvH9YUvHTUttr1LrkdXPu7zanJ1jXMc+la1ing54jVax0sp+yHU7FoccfJ1EUiGAzIgk+UpID7JT+Zy+AAvmqB4+Z+S+6jlXYrpxx+rzWg3MshjpfFipgUx13G7yl13oU4KcW2SEFlYtOoDJ5duiSHOIZ1Qc4uXWRltzs1x7AHvZO2eTYGx4g5yBHDbvGIbpOH7Q/tWeuXPDx2nmhqeKiliBa36UWgyvPzVs2z0FtStSpFl8XMtmgX2BzO9siHSuVx8l2v2DaOzADc9uRELlo1larfMZIgzL8wloEPvkjZACD5hVj2gLeXdkUi5Oeo9/zqbqjpq5KTLYN5jh/yPr4zlsG7A+k0KBYCU3aF9eik0b3s50z5QLFEjv0slanZtYjXJcEapqGlAw9ayJgs6xKlAzemytsYh2cIIUlLeRKGlIjmJ0vCL+7lAveim1isiitkx+jaPr39BZXANmPDn6n9crZg8U5cyRYzzNBG65NaBbEMO/bzWk7qtNzEFR81LRa4w+fhCNVhyIweQ2SPDbGFMK/Mq1OH+P8gI/TfLLMS7XzmJvM4/f/ynDomlncce7Wkx50adCr+E/h7aQ3Nenfnn80ADXZPoQUWTer2hUeEXCIJIXu+QvRvyCs8DdeDDIzDT42pyJyIxirzSphXbWBPB1TKEX7yeq2bWuwHLi+eP5kywXQ/SbG9Rtp5hlmVvwjgxu8/Iw==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Specifically because I don't want an error in RTBH/flowspec land to tear down forwarding, I've chosen something like #2 in AS3128, for untrusted sessions (ie, not iBGP) rtbh/flowspec uses a separate multihop peering session to a local loopback IP on the router closest to the connector (for CoS reasons).

 

My rtbh/flowspec peering session uses import policy and flowspec validation; seems to be working fine for me.  I don't think I'm doing anything unusual and would be happy to share config snippets (JunOS) if desired.

 

To be transparent the number of connectors using this feature for us is exactly one and that connector is using exaBGP/fastnetmon fwiw, but I did test (at least once!) to make sure flowspec validation was working as expected.

 

-Michael

 

From: [mailto:] On Behalf Of Brad Fleming
Sent: Wednesday, May 23, 2018 12:04 PM
To:
Subject: Re: [Security-WG] BGP Flowspec guidance

 

I believe in some versions of Junos adding the flowspec family causes GRES and nonstop routing to fail for the session. So you take a hard reset on all address families in the event of a RE switchover. That might have been resolved in newer versions of Junos so might be a moot issue in your case.

 

An approach (not necessarily a good one) is stand up OoB BGP sessions that carry unicast and flowspec routes. it can do triage on received routes and perform validation. Then it can peer with your core but only exchange flowspec details. Again, not the prettiest solution but I think would check all the boxes.

--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network
Office:            785-856-9805
Mobile:           785-865-7231
NOC:  785-856-9820

 

On May 23, 2018, at 11:13 AM, Karl Newell <> wrote:

 

As we make progress on our BGP flowspec testing and pilot, we’ll periodically ask this group for some guidance.  Our first question is related to BGP session/family establishment. 

 

Our preference is to add the flow family to our existing BGP sessions, so we can rely on flowspec validation (requires flowspec routes to align with best unicast routes).  We would like to set a peer max-prefix limit on the flow family; there is a maximum number of flowspec routes supported on the Juniper MX960.  If we use the existing BGP session, exceeding the flow max-prefix will tear down the session which tears down the unicast family as well.

 

One alternative is to use a separate session for flowspec.  We’ll need to disable flowspec validation and rely on peer prefix lists.

 

Options:

  1. Use the existing BGP session, enable the flow family
    1. Use a max-prefix limit such that normal behavior shouldn’t trip the threshold (caveat: we don’t know what normal behavior is) – maybe 100 flowspec routes?

                                                               i.      Clearly communicate max-prefix limit and its implications (possible unicast teardown)

                                                             ii.      Configure a limit without a teardown but a peer could send an excessive amount of flowspec routes

  1. Set up a new BGP session and disable flowspec validation
    1. Use existing peer prefix lists for validation

Thoughts, comments, questions?


Cheers,

Karl

 

--

Karl Newell

Cyberinfrastructure Security Engineer

Internet2

520-344-0459

 




Archive powered by MHonArc 2.6.19.

Top of Page