[121997] in North American Network Operators' Group
BGP FlowSpec (RFC 5575) route injector
daemon@ATHENA.MIT.EDU (Thomas Mangin)
Wed Feb 3 14:06:58 2010
From: Thomas Mangin <thomas.mangin@exa-networks.co.uk>
Date: Wed, 3 Feb 2010 19:06:16 +0000
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
I juste added some preliminary support for FlowSpec (RFC5575) to my BGP =
route injector http://bgp.exa.org.uk/
As I am not aware of any other project allowing to inject flow route =
into a network, I am taking the liberty to plug it here.
You can access the SVN repository at: http:/svn.exa.org.uk/bgp/trunk/ =
the code is under a 3-clauses BSD licence.
More information about the installation are available on the wiki.
I performed basic testing by rate-limiting one of my coworkers mail and =
web flows - seems to work - for the rest, it may not do what it should.
If you are interested, have any questions, or are missing a feature, or =
just find any bugs, please, just let me know.
Changing the configuration and sighuping the application perform send =
the peers the correct update messages to change the peer RIB.
Or just enable graceful-restart and restart the application if you do =
not care about the number of update :p
More information:
- http://www.terena.org/activities/tf-ngn/tf-ngn17/uze-flowspec.pdf
- =
http://resources.nznog.org/2006/Friday-240306/DavidLambert-BGPFlowSpecific=
ationUpdate/Lambert.ppt
- http://uknof.org/uknof15/Mangin-NakedBGP.pdf (another shameless =
selfplug - BGP overview - 3 slides on FlowSpec)
Thomas
--
Exa Networks Limited - http://www.exa-networks.co.uk/
Company No. 04922037 - VAT no. 829 1565 09
27-29 Mill Field Road, BD16 1PY, UK
Phone: +44 (0) 845 145 1234 - Fax: +44 (0) 1274 567646
---------
neighbor 82.219.123.221 {
[....]=20
flow {
route {
match {
source 10.0.0.1/32;
destination 192.168.0.1/32;
port =3D80;
destination-port =3D3128 >8080&<8088;
source-port >1024;
protocol tcp;
# protocol [ tcp udp ];
# packet-length >200&<300 >400&<500;
# fragment not-a-fragment;
# fragment [ first-fragment last-fragment ];
# icmp-type [ unreachable echo-request =
echo-reply ];
# icmp-code [ host-unreachable =
network-unreachable ];
# tcp-flags [ urgent rst ];
# dscp [ 10 20 ];
}
then {
discard;
# rate-limit 9600;
# redirect 65500:12345;
# redirect 1.2.3.4:5678;
}
}
}
}
thomas.mangin@m7i-4.u3.tcw.uk> show configuration logical-routers trap =
protocols bgp=20
local-as 30740;
group flow {
type external;
multihop;
local-preference 100;
local-address 82.219.123.221;
import no-export;
export deny-all;
peer-as 65500;
neighbor 82.219.131.242 {
traceoptions {
file bgp;
flag all;
}
family inet {
unicast;
flow {
no-validate everything;
}
}
family inet6 {
unicast;
}
}
}
thomas.mangin@m7i-4.u3.tcw.uk> show configuration logical-routers trap =
policy-options policy-statement everything =20
then accept;
# env PYTHONPATH=3D~/source/bgp/lib/ python daemon/bgpd =
etc/bgp/m7i-service.txt=20
033 12:28:13 Supervisor/ performing reload
033 12:28:13 Supervisor/ New Peer 82.219.123.221
033 12:28:14 82.219.123.221/ 30740 -> OPEN version=3D4 asn=3D65500 =
hold_time=3D180 router_id=3D82.219.131.242 capabilities=3D[Graceful =
Restart Flags 0x8 Time 5 IPv4/flow-ipv4=3D0x80 IPv4/unicast=3D0x80 =
IPv6/unicast=3D0x80, Multiprotocol IPv4 unicast IPv6 unicast IPv4 =
flow-ipv4]
033 12:28:15 82.219.123.221/ 30740 <- OPEN version=3D4 asn=3D30740 =
hold_time=3D90 router_id=3D82.219.123.221 capabilities=3D[Cisco Route =
Refresh (unparsed), Multiprotocol IPv4 unicast IPv6 unicast IPv4 =
flow-ipv4, Route Refresh (unparsed)]
033 12:28:16 82.219.123.221/ 30740 -> KEEPALIVE
033 12:28:17 82.219.123.221/ 30740 <- KEEPALIVE
announcing IPv6 unicast 2a02:b80:0:6:50::1/128 next-hop =
2a02:b80::90:0:52e:0:1 med 100
announcing IPv4 flow-ipv4 destination 192.168.0.1/32,source =
10.0.0.1/32,protocol =3DTCP,port =3D80,destination-port =3D3128 =
>8080&<8088,source-port >1024 extended community [ 0x80 0x6 0x0 0x0 0x0 =
0x0 0x0 0x0 ]
announcing IPv4 unicast 82.219.4.100/32 next-hop 82.219.4.101 med =
100
033 12:28:17 82.219.123.221/ 30740 -> UPDATE (3)
033 12:28:17 82.219.123.221/ 30740 <- KEEPALIVE
thomas.mangin@m7i-4.u3.tcw.uk> show route logical-router trap table =
inetflow.0 extensive=20
inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
=
192.168.0.1,10.0.0.1,proto=3D6,port=3D80,dstport=3D3128,>8080&<8088,srcpor=
t>1024/256 (1 entry, 0 announced)
*BGP Preference: 170/-101
Next hop type: Fictitious
Next-hop reference count: 1
State: <Active Ext>
Peer AS: 65500
Age: 1:13=20
Task: BGP_65500_30740.82.219.131.242+32319
AS path: 65500 I
Communities: no-export traffic-rate:0:0
Localpref: 100
Router ID: 82.219.131.242
