[c-nsp] BGP flowspec S/RTBH for large DDoS

Saku Ytti saku at ytti.fi
Mon May 16 05:33:18 EDT 2016


On 16 May 2016 at 12:29, Nathan Ward <cisco-nsp at daork.net> wrote:

> I see what you’re getting at, and the behaviour to prevent attacks I suspect that you’re thinking of is the default.
>
> https://tools.ietf.org/html/rfc5575#section-6
>
> Roughly, you only use flowspec routes from external networks if they are the best path for that prefix.
>
> There’s an I-D that updates this to relax it a little so it can be used if you have multiple eBGP peers between two ASNs (which is obviously quite common).

Alas this effort is overlooking actions. RFC should have two category
of actions, actions which are externally OK and which are internally
OK. By default, this policy should reject all updates with internal
action from external customer.

Right now, without manually limiting the action communities, customer
can inject traffic to arbitrary VRF and arbitrary next-hop. Then
you'll need another vector to get forward traffic to VRF (Such as OptB
without label checking) to completely pwn VRF.



-- 
  ++ytti


More information about the cisco-nsp mailing list