Routing

Expand all | Collapse all

Exporting source based BGP Flowspec routes

  • 1.  Exporting source based BGP Flowspec routes

    Posted 05-14-2021 13:01
    Hi,
    We have a vRR instance running in the lab as a trigger router exporting flow routes to a PE edge router. The flow routes are configured in a VRF instance and advertised as VPNv4 routes to the PE router. Our objective is to advertise flow routes that are host routes i.e., that have a prefix-length of /32 only and reject other prefix-lengths. And so we are using the following term in the BGP export policy on the trigger router and statically configuring flow routes for advertisement to the target router:

    set policy-options policy-statement TO_PE_EX term HOST_ROUTES from route-filter 0.0.0.0/0 prefix-length-range /0-/31
    set policy-options policy-statement TO_PE_EX term HOST_ROUTES then reject

    The above term works fine for rejecting routes with prefix-lengths between /0-/31 and only allows /32 host routes to be advertised to the target router such as the destination-based flow route below: 

    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW match destination 104.104.104.104/32
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW then community FLOW_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW then rate-limit 1g

    But this export policy term does not work for source based host flow routes (/29), e.g., the following route gets advertised. This suggests that the 'term HOST_ROUTES' above is not matching the source based flow route 'DDOS_FLOW_SOURCE' below:

    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match source 104.104.104.104/29         <--
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then community FLOW_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then rate-limit 1g

    and using the 'source-address-filter' in the export policy doesn't appear to work as expected either, it appears to match a /32 source route and reject it [instead of matching just /0-/31 prefix lengths only]
    set policy-options policy-statement TO_PE_EX term HOST_ROUTES_SOURCE from source-address-filter 0.0.0.0/0 prefix-length-range /0-/31
    set policy-options policy-statement TO_PE_EX term HOST_ROUTES_SOURCE then reject

    For example, the following flow route (/32) is rejected by the policy term HOST_ROUTES_SOURCE above:

    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE match source 104.104.104.104/32        <--
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then community FLOW_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_FLOW_SOURCE then rate-limit 1g

    Any thoughts on how we can match the prefix-length for source based flow routes and accept /32 host routes only?
    Thanks,


  • 2.  RE: Exporting source based BGP Flowspec routes

    Posted 05-17-2021 10:32
    Hi,

    Indeed source-address-filter will not work on that situation. You will need to apply the filter (input) on destination. 

    Hope this helps.

    Leonardo Gama.


  • 3.  RE: Exporting source based BGP Flowspec routes

    Posted 05-19-2021 11:52
    Thanks Leonardo. 
    I have tried the following but using a 'route-filter' on the target router appears to deny a /32 source based flow route while it does accept a destination based /32 route:

    1) Using a match criteria of  'route-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router denies the source based /32 flow route and the route is not imported. We want source based /32 routes to be accepted by the target router. 

    -Trigger Router-
     set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
     set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match source 104.104.104.104/32                 <--
     set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
     set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g

    -Target Router-
     set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC from route-filter 0.0.0.0/0 prefix-length-range /32-/32
     set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC then accept
    ​!
    user@router-RE0> show route table VRF_NAME.inetflow.0
    {master}
    user@router-RE0> ​

    2) Using a match criteria of  'route-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router allows a destination based /32 flow route and the route is imported successfully. This is expected behaviour. 

    -Trigger Router-
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match destination 104.104.104.104/32          <--
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g

    -Target Router-
    set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC from route-filter 0.0.0.0/0 prefix-length-range /32-/32
    set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC then accept
    !
    user@router-RE0> show route table VRF_NAME.inetflow.0
    VRF_NAME.inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    104.104.104.104,*,proto=6/term:1
    *[BGP/170] 00:02:33, localpref 255, from 10.x.x.x
    AS path: I, validation-state: unverified
    Fictitious
    {master}
    user@router-RE0>

    3) Using a match criteria of  'source-address-filter 0.0.0.0/0 prefix-length-range /32-/32' on the target router allows a source based /24 flow route and the route is imported. The expected result is that a /24 (non-/32) source based flow route should not be imported and that's our objective. 

    - Trigger Router -
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match protocol tcp
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE match source 104.104.104.0/24                      <--
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then community FLOW_ALL_PE_STD
    set routing-instances BGP_FLOWSPEC routing-options flow route DDOS_TCP_TRAFFIC_PE then rate-limit 1g

    - Target Router -
    set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC from source-address-filter 0.0.0.0/0 prefix-length-range /32-/32
    set policy-options policy-statement VRF_NAME_IM term BGP_FLOWSPEC then accept
    !
    user@router-RE0> show route table VRF_NAME.inetflow.0
    VRF_NAME.inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    *,104.104.104/24,proto=6/term:1
    *[BGP/170] 00:01:33, localpref 255, from 10.x.x.x
    AS path: I, validation-state: unverified
    Fictitious
    !



  • 4.  RE: Exporting source based BGP Flowspec routes

    Posted 05-19-2021 13:26
    Hi,

    It seems source-address-filter only matches multicast source addresses. On IOS-XR for instance, the RPL matches both source and destination flow route by using a prefix-set. It is not ideal, but it is better than being able to match only destination flow route.
    I think you should request an enhancement to the Account Manager.

    HTH.

    Leonardo Gama.