[j-nsp] Filter Based Forwarding with bgp import rib

[Doan Nguyen]

Have you thought about using SCU/DCU tagging and having the firewall filter 
force traffic based on that?
BGP could tag routes with SCU/DCU based on community string attribute, once in 
the router you could
apply firewall filter at the PFE level to force traffic based on the SCU/DCU 
tagging.  The process is rather messy
but might be doable.




________________________________
From: Stefan Fouant <sfouant at shortestpathfirst.net>
To: Justin M. Streiner <streiner at cluebyfour.org>; juniper-nsp at puck.nether.net
Sent: Thu, March 24, 2011 10:53:47 PM
Subject: Re: [j-nsp] Filter Based Forwarding with bgp import rib

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Justin M. Streiner
> Sent: Thursday, March 24, 2011 7:35 AM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Filter Based Forwarding with bgp import rib
> 
> I've been hunting around for a solution to a similar issue -
> essentially
> a modified approach to RTBH.  I'd like to be able to redirect or
> optionally port-mirror inbound and outbound traffic to another
> interface
> on my border router, and the trigger for determining what traffic would
> be
> affected would be a BGP feed from a route server, and the actions to be
> taken (discard, redirect to another interface, port-mirror to another
> interface) by the border routers could be dictated by BGP community
> tags.
> 
> The issues I've run into with this have been that I couldn't find a way
> to
> get a Junos firewall filter to see and react to BGP routes and their
> associated community tags.

Hi Justin,

I've done just this very thing for various traffic filtering applications.
Ping me offline and I can provide you some sample configs that should work.
One thing I'd like to point out however, since you mention RTBH, is that I
think you would be better served with BGP FlowSpec in this case, because
RTBH only serves to provide automated distribution of destination-based
filters throughout an environment.  Technically you can do S/RTBH if you
couple RTBH w/ uRPF... nonetheless there are some limitations to this
approach and one of the primary reasons FlowSpec was created in the first
place.  You can filter on source-address, destination-address, protocol,
source-port, and destination-port, or any combination of these.  Much more
flexible in my opinion than simply RTBH, plus it gives you the flexibility
of FBF w/ automation layered on top.  Juniper probably has the best working
implementation of FlowSpec out of any of the vendors out there so you're in
luck here.

I have a presentation on the benefits of FlowSpec on my blog -
http://www.shortestpathfirst.net/presentations/

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp