[c-nsp] BGP flowspec S/RTBH for large DDoS

Nathan Ward cisco-nsp at daork.net
Mon May 16 05:29:54 EDT 2016


> On 16/05/2016, at 21:00, Gert Doering <gert at greenie.muc.de> wrote:
> 
> Hi,
> 
> On Mon, May 16, 2016 at 06:43:59AM +0700, Roland Dobbins wrote:
>> I personally don't know of any operator allowing customers to use 
>> flowspec on PE devices.
> 
> Not having the hardware to do flowspec across our network yet, I haven't
> investigated this closely.  But I do wonder what sort of filtering options
> exist in typical gear - like "standard BGP" prefix filters, I could imagine
> something like "flowspec entries learned from customers need to have a
> destination in <prefix list>, and are subject to <maxpfx 500>" or such...
> 
> Is that doable on anything?


I see what you’re getting at, and the behaviour to prevent attacks I suspect that you’re thinking of is the default.

https://tools.ietf.org/html/rfc5575#section-6

Roughly, you only use flowspec routes from external networks if they are the best path for that prefix.

There’s an I-D that updates this to relax it a little so it can be used if you have multiple eBGP peers between two ASNs (which is obviously quite common).

--
Nathan Ward


More information about the cisco-nsp mailing list