This question is regarding section 5.1 (The Order of Traffic Filtering Rules) of BGP Flowspec RFC 7674.
This is my summary of section 5.1. Please correct me if I am wrong anywhere.
When a packet is received by a router with two dynamically installed FlowSpec filters, the router needs to deterministically decide which one to apply first. For that it looks at the first match condition of both FlowSpec filters.
1: If filter A’s first match condition has a lower Flowspec Type value than that of Filter B, then Filter A is applied first, else Filter B
2: If the first match condition of both filters A and B are the same and are either of Type 2 or 3 (IP prefixes), then the Filter with the lower prefix value wins. As a tiebreaker, the Filter with the longest prefix length wins.
3: This step is used if the first match conditions of both filters are the same and not of type 2 or 3 (IP prefixs). For example, if both are TCP ports. In this step, the RFC says “the comparison is performed by comparing the component data as a binary string using the memcmp() function as defined by the ISO C standard”.
Now the question:
What if the first match conditions of both filters is TCP destination port 22. This should use step 3 to resolve which filter should apply to the packet. But since both match conditions are the same, they should translate into the same binary string. Then how would the memcmp() function be able to choose one over the other?
If I understand Your question correctly, You want to know what happens if:
1/ 1st BGP Update with Flowspec NLRI with src ip 0.0.0.0, dst ip 0.0.0.0, proto tcp, dst port 22, action drop arrives at the router1
2/ 2nd Update arrives at router1 with exactly the same BGP Flowspec NLRI : src ip 0.0.0.0, dst ip 0.0.0.0, proto tcp, dst port 22, action drop
Well, these 2 updates are not supposed to arrive from the same source because they are identical, and BGP does not do periodic restransmit like IGP, but if they do arrive, it is a NOOP and by default oldest BGP update is preferred if such 2 updates are no different.
Now, if You want to know what happens if both updates are identical except that the action is different - e.g. 1st Update action is drop, 2nd Update action is anything but drop (redirect or remark) then according to BGP rules, the 2nd update is preferred, and 2nd NLRI replaces 1st - the 2nd Update is considered as implicit withdrawal for the 1st.
If Updates 1 and 2 arrive from different sources (e.g. from 2 Route Reflectors) then normal BGP path selection algo applies, and worst case it will be down to a router-id comparison.
So, in a nutshell, the rules You cited are applicable if there is ambiguity in BGP Flowspec NLRI and longest/most specific NLRI wins. E.g. if router1 receives 1st Flowspec NLRI with "src ip 0.0.0.0, dst ip 0.0.0.0, proto tcp, dst port 22" and 2nd NLRI with "src ip 0.0.0.0, dst ip 0.0.0.0, proto tcp, dst port range 22-23", then 2nd NLRI wins because it has longer "dst.port" string.
Hope this makes sense.
And in the following case:
NLRI1: src ip 0.0.0.0, dst ip 0.0.0.0, proto tcp, dst port 22
NLRI2: src ip 0.0.0.0, dst ip 0.0.0.0, proto tcp, dst port 23
the lengths are the same, but NLRI1 wins because its 'dst port' is lower. Correct?
No it is not correct. The algo in RFC 5575 section 5.1 is executed only when "more than one rule may match aparticular traffic flow". Since there is no way a traffic flow can match both dst.port 22 and dst.port 23, these 2 NLRI in Your example are 2 unique Flowspec NLRIs and will be installed together.
Understood. Thanks Alex!