Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] BGP Flowspec guidance

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] BGP Flowspec guidance


Chronological Thread 
  • From: "Dale W. Carder" <>
  • To:
  • Cc: "" <>
  • Subject: Re: [Security-WG] BGP Flowspec guidance
  • Date: Wed, 23 May 2018 22:13:39 -0500
  • Ironport-phdr: 9a23:W29HixyvXY+pG0/XCy+O+j09IxM/srCxBDY+r6Qd1O8eIJqq85mqBkHD//Il1AaPAd2Araocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HdbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHmiCkJKSM3/mLZisN/kK1UvRCuqBJkzo7IfI2YLuZycr/HcN8EQ2dKQ8ZfVzZGAoO5d4YDAeQPMvxcr4bjulABrQGyDhSyCez10D9Hm2H53bc03+88FgzJwQIhEM4Uv3TOsdr6Kr0SXPurw6nT1znDae1Z2Svk5YXObxsvoumMUKptfcbPykQjDQ3Igk+fpID4JT+Y1PkBv3CF4+dhSe6jl2sqpgBtrTWgycohj4nEhowXx1DK8Ch23oc4KcGlREN+fdGpFJVQui+fOoZyQ84vQnpntSM0yrEavZO3YS0Hx448yBLCdvCKdZWD7Aj5W+aLOzh4gWpoeLKhiBa29kit0uP8Wde73VpQqipKid3MumoC1xzU9MiLUvp9/kG/1jaTzw3f9/9ILEMumafVMZIszaM8moARvEjeBiP2nV/5jK6SdkUq4Oio7OHnb637qZ6SK4B7kBv+PbkwlcylGuk3LBMOU3Kd+euiyL3v5Vf5T6lSjv0qjqnZt4jXJd8FqaGlHg9VyIcj6wq/Dju/3tUYkmIKLFZEeBKck4jpIE/CLOr5Dfe5n1Sjji1rx/bYMb39HJnBNGbMn6r8feU110kJ0wc40Mpe+4MRFb4pIfTvV1X3ucCCSBI1Ll+a2eHiXZ9R34cTEV3JSoSQKq/fqxXAsu4wKOCWaIIPkDvmbf4o+6i93jcChVYBcPzxjtMsY3eiE6E+Lg==

Karl, that sounds pretty cool.

As I think has mentioned before, you could use the "Firewall on Demand"
code from GRNET (I think this is now a Geant service also?). Or, check
out the integration components (including w/ Bro) from NCSA. As Michael
Hare mentioned, FastNetMon can inject routes w/ exabgp as well.

I would guess that you want to support the out-of-band (multihop, even)
model on day 1. You would probably want or even require IRR objects to
make the prefix filters, or do a variant of the UTRS-style prefix
stickiness test to create the filters dynamically.

There's even more options for verifying the received routes are within
policy, including using a shim layer (such as an exabgp client) to
validate the policy, log it, etc, before readvertising into the network.

Dale



Thus spake Garrett, Seth B
()
on Wed, May 23, 2018 at 04:55:18PM +0000:
> ?To make it more compatible with a wider audience, a web based UI and API
> might be useful. You could probably apply more controls to the requests
> via that also.
>
> Seth Garrett
> Principal Network Systems Engineer
> Indiana University
> ________________________________
> From:
>
>
> <>
> on behalf of Andrew Gallo
> <>
> Sent: Wednesday, May 23, 2018 12:27 PM
> To:
>
> Subject: Re: [Security-WG] BGP Flowspec guidance
>
> My first thought is that option 1 (adding family flow to the existing
> session) makes sense.
>
> Question for the downstreams - how do you expect to add flow entries?
> Manually via the CLI on your router? Any plans to automate flow rule
> creation or integrate with something else (maybe Bro?) ?
>
> Would option 2 be appropriate to integrate with something that isn't a
> router? Would I2 be willing to consider something like this?
>
> Thanks
>
>
> On Wed, May 23, 2018 at 9:13 AM, Karl Newell
> <<mailto:>>
> wrote:
> As we make progress on our BGP flowspec testing and pilot, we'll
> periodically ask this group for some guidance. Our first question is
> related to BGP session/family establishment.
>
> Our preference is to add the flow family to our existing BGP sessions, so
> we can rely on flowspec validation (requires flowspec routes to align with
> best unicast routes). We would like to set a peer max-prefix limit on the
> flow family; there is a maximum number of flowspec routes supported on the
> Juniper MX960. If we use the existing BGP session, exceeding the flow
> max-prefix will tear down the session which tears down the unicast family
> as well.
>
> One alternative is to use a separate session for flowspec. We'll need to
> disable flowspec validation and rely on peer prefix lists.
>
> Options:
>
> 1. Use the existing BGP session, enable the flow family
> * Use a max-prefix limit such that normal behavior shouldn't trip
> the threshold (caveat: we don't know what normal behavior is) - maybe 100
> flowspec routes?
>
> i.
> Clearly communicate max-prefix limit and its implications (possible unicast
> teardown)
>
> ii.
> Configure a limit without a teardown but a peer could send an excessive
> amount of flowspec routes
>
> 1. Set up a new BGP session and disable flowspec validation
> * Use existing peer prefix lists for validation
> Thoughts, comments, questions?
>
> Cheers,
> Karl
>
> --
> Karl Newell
> Cyberinfrastructure Security Engineer
> Internet2
> 520-344-0459
>
>



Archive powered by MHonArc 2.6.19.

Top of Page