[j-nsp] "low route" with BGP examples?
Rafal Szarecki (WA/EPO)
rafal.szarecki at ericsson.com
Wed Oct 19 05:36:37 EDT 2005
Tomas,
generaly speaking Flow route is a definition of firewall filter term (a.k.a ACL). This definition is configured once on singel router as "routing-option flow route" and contail both match and action sections.
Then BGP (iBGP and also E-BGP) is used to propagate this definition to multiple routers over the network. This spropoagation can be controlled by regular BGP methods - e.g. Communities.
The Router which recive flow route (definition of firewall filter term), process validation (see Pedros mail), and then apply this as _Firewall Filter_ of Forwarding Table.
The applaying Firewall Filter on Forwarding table has effect that all packiet forwarded by router are check against tit firewall filter terms. Regardless of ingress and egress interface.
The primary application is reaction and mitigation of dDoS attacks.
Flow Spec routes are more granular thyen SCU/DCU - can natch on L4 protocols, ports and non-address fields of IP header.
SCU/DCU is limited to 16 class only.
And Pedro is aothor of flow - route draft.
http://professional.juniper.net/roque/draft-marques-idr-flow-spec-02.txt
Rafa³ Szarecki JNCIE
skype me <callto://Rafal_Szarecki/>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Thomas Mangin
> Sent: Tuesday, October 18, 2005 11:48 PM
> To: Pedro Roque Marques; dmitri at nominet.org.uk;
> juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] "low route" with BGP examples?
>
>
> Pedro Roque Marques wrote:
>
> >> However, I fail to see how flow are useful in that setup
> as we are not
> >> using them in filters but to tag routes.
> >
> > flow routes are used for traffic filtering.
>
> This can be done with scu, could someone give me the
> advantage of using
> flow against something like this.
>
> groups {
> transit-interface {
> interfaces {
> <*> {
> unit <*> {
> family inet {
> rpf-check {
> mode loose;
> }
> filter {
> input external-incoming-transit;
> }
> }
> }
> }
> }
> }
> }
> routing-options {
> aggregate {
> route 10.0.0.0/24 community 1234:1234;
> }
> forwarding-table {
> export tag-to-scu;
> unicast-reverse-path feasible-paths;
> }
> }
> firewall {
> filter external-incoming-transit {
> ...
> term originate-deny {
> from {
> source-class originate;
> }
> then {
> count deny-spoof-originate;
> discard;
> }
> }
> ...
> term default-allow {
> then accept;
> }
> }
>
> policy-options {
> policy-statement tag-to-scu {
> term is-orginated-here {
> from community originate;
> then source-class originate;
> }
> ...
> }
> policy-statement originate {
> term tag {
> from {
> protocol aggregate;
> community originate;
> }
> then {
> community delete originate;
> accept;
> }
> }
> }
> community originate members 1234:1234;
> }
>
> --
> Exa Networks Limited - UK - AS30740 - www.exa-networks.co.uk
> nic-handle : MANG-RIPE website : thomas.mangin.me.uk
> GPG key ID : 0xFB8B81A1 PGP key : /pgp.html
> Inoc-DBA # : 30740*TOM Office # : +44 (0) 845 145 1234
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list