Internet2 Network Security SIG

["Dale W. Carder" <>]

Karl, that sounds pretty cool.

As I think has mentioned before, you could use the "Firewall on Demand"
code from GRNET (I think this is now a Geant service also?).  Or, check
out the integration components (including w/ Bro) from NCSA.  As Michael
Hare mentioned, FastNetMon can inject routes w/ exabgp as well.

I would guess that you want to support the out-of-band (multihop, even)
model on day 1.  You would probably want or even require IRR objects to
make the prefix filters, or do a variant of the UTRS-style prefix 
stickiness test to create the filters dynamically.

There's even more options for verifying the received routes are within 
policy, including using a shim layer (such as an exabgp client) to 
validate the policy, log it, etc, before readvertising into the network.

Dale



Thus spake Garrett, Seth B 
()
 on Wed, May 23, 2018 at 04:55:18PM +0000:
> ?To make it more compatible with a wider audience, a web based UI and API 
> might be useful.  You could probably apply more controls to the requests 
> via that also.
> 
> Seth Garrett
> Principal Network Systems Engineer
> Indiana University
> ________________________________
> From: 
> 
>  
> <>
>  on behalf of Andrew Gallo 
> <>
> Sent: Wednesday, May 23, 2018 12:27 PM
> To: 
> 
> Subject: Re: [Security-WG] BGP Flowspec guidance
> 
> My first thought is that option 1 (adding family flow to the existing 
> session) makes sense.
> 
> Question for the downstreams - how do you expect to add flow entries?  
> Manually via the CLI on your router?  Any plans to automate flow rule 
> creation or integrate with something else (maybe Bro?) ?
> 
> Would option 2 be appropriate to integrate with something that isn't a 
> router?  Would I2 be willing to consider something like this?
> 
> Thanks
> 
> 
> On Wed, May 23, 2018 at 9:13 AM, Karl Newell 
> <<mailto:>>
>  wrote:
> As we make progress on our BGP flowspec testing and pilot, we'll 
> periodically ask this group for some guidance.  Our first question is 
> related to BGP session/family establishment.
> 
> Our preference is to add the flow family to our existing BGP sessions, so 
> we can rely on flowspec validation (requires flowspec routes to align with 
> best unicast routes).  We would like to set a peer max-prefix limit on the 
> flow family; there is a maximum number of flowspec routes supported on the 
> Juniper MX960.  If we use the existing BGP session, exceeding the flow 
> max-prefix will tear down the session which tears down the unicast family 
> as well.
> 
> One alternative is to use a separate session for flowspec.  We'll need to 
> disable flowspec validation and rely on peer prefix lists.
> 
> Options:
> 
>   1.  Use the existing BGP session, enable the flow family
>      *   Use a max-prefix limit such that normal behavior shouldn't trip 
> the threshold (caveat: we don't know what normal behavior is) - maybe 100 
> flowspec routes?
> 
>                                                                i.      
> Clearly communicate max-prefix limit and its implications (possible unicast 
> teardown)
> 
>                                                              ii.      
> Configure a limit without a teardown but a peer could send an excessive 
> amount of flowspec routes
> 
>   1.  Set up a new BGP session and disable flowspec validation
>      *   Use existing peer prefix lists for validation
> Thoughts, comments, questions?
> 
> Cheers,
> Karl
> 
> --
> Karl Newell
> Cyberinfrastructure Security Engineer
> Internet2
> 520-344-0459
> 
>