BGP Flow Specification 功能是一种用于防止 DoS(Denial of Service)/DDoS(Distributed Denial of Service)攻击的方法,可以提高网络安全性和可用性。其实现方式为 BGP FS controller 通过 BGP 下发特定的规则给 BGP FS client, BGP FS client 收到后按照该规则对特定流进行 redirect/remark/drop/rate limit。
BGP FS controller 可为 router 或者 server:
- Router/Virtual Router(ASR9000, CRS, NCS 6000, XR 12000, … XRv9000)
- Server(ExaBGP, YABGP, Open Day Light, Arbor SP, …)
BGP FS controller #
Router #
以 IOS XR 路由器为例, 配置示例如下:
//create rules
class-map type traffic match-all match-UDP53
match destination-port 53
match protocol udp
end-class-map
!
class-map type traffic match-all match-src-ipv4-addr
match destination-address ipv4 25.1.104.0 255.255.255.0
end-class-map
policy-map type pbr FS
class type traffic match-src-ipv4-addr
police rate 100000 bps
!
!
class type traffic match-UDP53
redirect next 192.42.52.125
!
!
class type traffic class-default
!
end-policy-map
flowspec
address-family ipv4
service-policy type pbr FS
RP/0/RP0/CPU0:MXC.TAC.L.08-8201-01#show run router bgp
Mon Aug 30 04:44:52.662 UTC
router bgp 100
bgp router-id 10.1.4.4
address-family ipv4 flowspec
!
neighbor-group ibgp-flowspec
remote-as 100
address-family ipv4 flowspec
!
!
neighbor 10.1.34.3
use neighbor-group ibgp-flowspec
!
Server #
以 ExaBGP 为例:
Github上介绍了安装方式,也提供了 flowspec 相关的配置文件以供参考。
- ExaBGP Install
[root@localhost ~]# pip install exabgp
Collecting exabgp
Downloading exabgp-4.2.13.tar.gz (400 kB)
|████████████████████████████████| 400 kB 14.9 MB/s
Requirement already satisfied: setuptools in ./.pyenv/versions/3.7.8/lib/python3.7/site-packages (from exabgp) (47.1.0)
Using legacy 'setup.py install' for exabgp, since package 'wheel' is not installed.
Installing collected packages: exabgp
Running setup.py install for exabgp ... done
Successfully installed exabgp-4.2.13
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
WARNING: You are using pip version 21.1.3; however, version 21.2.4 is available.
You should consider upgrading via the '/root/.pyenv/versions/3.7.8/bin/python3.7 -m pip install --upgrade pip' command.
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# exabgp --version
ExaBGP : 4.2.13
Python : 3.7.8 (default, May 9 2021, 11:28:59) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
Uname : Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64
Root : /root/.pyenv/versions/3.7.8
[root@localhost ~]#
- ExaBGP configuration:
[root@localhost exabgp]# pwd
/root/exabgp
[root@localhost exabgp]# ls -al
total 12
drwxr-xr-x. 2 root root 40 Aug 30 00:51 .
dr-xr-x---. 21 root root 4096 Aug 30 00:51 ..
-rw-r--r--. 1 root root 640 Aug 30 00:51 conf.ini
-rw-r--r--. 1 root root 430 Aug 30 00:43 example.py
[root@localhost exabgp]# cat conf.ini
process announce-routes {
run /root/.pyenv/versions/3.7.8/bin/python /root/exabgp/example.py;
encoder json;
}
neighbor 10.31.122.26 { # Remote neighbor to peer with
router-id 10.70.79.197; # Our local router-id
local-address 10.70.79.197; # Our local update-source
local-as 100; # Our local AS
peer-as 100; # Peer's AS
flow { #define flowspec rules
route {
match {
destination 7.7.7.7/32;
}
then {
redirect 10.1.13.1;
}
}
}
api { # Option config, define how to use python announce bgp routes
processes [announce-routes];
}
}
[root@localhost exabgp]#
- Define python Script to add/remove Routes (option)
Exabgp 除了可以生成 bgp flowspec 路由,也可以用来生成普通的 BGP 路由,这篇文章介绍了如何使用 python script 生成 BGP 路由。
[root@localhost exabgp]# cat example.py
#!/usr/bin/env python3
from __future__ import print_function
from sys import stdout
from time import sleep
messages = [
'announce route 100.10.0.0/24 next-hop self',
'announce route 200.20.0.0/24 next-hop self',
]
sleep(5)
#Iterate through messages
for message in messages:
stdout.write(message + '\n')
stdout.flush()
sleep(1)
#Loop endlessly to allow ExaBGP to continue running
while True:
sleep(1)
[root@localhost exabgp]#
- Start ExaBGP
[root@localhost exabgp]# exabgp ./conf.ini
00:51:45 | 61810 | welcome | Thank you for using ExaBGP
00:51:45 | 61810 | version | 4.2.13
00:51:45 | 61810 | interpreter | 3.7.8 (default, May 9 2021, 11:28:59) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
00:51:45 | 61810 | os | Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64
00:51:45 | 61810 | installation | /root/.pyenv/versions/3.7.8
00:51:45 | 61810 | advice | environment file missing
00:51:45 | 61810 | advice | generate it using "exabgp --fi > /root/.pyenv/versions/3.7.8/etc/exabgp/exabgp.env"
00:51:45 | 61810 | cli | could not find the named pipes (exabgp.in and exabgp.out) required for the cli
00:51:45 | 61810 | cli | we scanned the following folders (the number is your PID):
00:51:45 | 61810 | cli control | - /run/exabgp/
00:51:45 | 61810 | cli control | - /run/0/
00:51:45 | 61810 | cli control | - /run/
00:51:45 | 61810 | cli control | - /var/run/exabgp/
00:51:45 | 61810 | cli control | - /var/run/0/
00:51:45 | 61810 | cli control | - /var/run/
00:51:45 | 61810 | cli control | - /root/.pyenv/versions/3.7.8/run/exabgp/
00:51:45 | 61810 | cli control | - /root/.pyenv/versions/3.7.8/run/0/
00:51:45 | 61810 | cli control | - /root/.pyenv/versions/3.7.8/run/
00:51:45 | 61810 | cli control | - /root/.pyenv/versions/3.7.8/var/run/exabgp/
00:51:45 | 61810 | cli control | - /root/.pyenv/versions/3.7.8/var/run/0/
00:51:45 | 61810 | cli control | - /root/.pyenv/versions/3.7.8/var/run/
00:51:45 | 61810 | cli control | please make them in one of the folder with the following commands:
00:51:45 | 61810 | cli control | > mkfifo /root/exabgp/run/exabgp.{in,out}
00:51:45 | 61810 | cli control | > chmod 600 /root/exabgp/run/exabgp.{in,out}
00:51:45 | 61810 | configuration | performing reload of exabgp 4.2.13
00:51:45 | 61810 | reactor | loaded new configuration successfully
00:51:47 | 61810 | reactor | connected to peer-1 with outgoing-3 10.70.79.197-10.31.122.26
00:51:50 | 61810 | api | route added to neighbor 10.31.122.26 local-ip 10.70.79.197 local-as 100 peer-as 100 router-id 10.70.79.197 family-allowed in-open : 100.10.0.0/24 next-hop self
00:51:51 | 61810 | api | route added to neighbor 10.31.122.26 local-ip 10.70.79.197 local-as 100 peer-as 100 router-id 10.70.79.197 family-allowed in-open : 200.20.0.0/24 next-hop self
00:53:47 | 61810 | reactor | connected to peer-1 with outgoing-4 10.70.79.197-10.31.122.26
路由器上输出如下:
RP/0/RP0/CPU0:MXC.TAC.L.08-8201-01#show bgp ipv4 unicast summary
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
10.1.2.2 0 100 181 180 3 0 0 02:50:22 0
10.70.79.197 0 100 67 62 3 0 0 00:36:55 2
RP/0/RP0/CPU0:MXC.TAC.L.08-8201-01#show bgp ipv4 unicast
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i100.10.0.0/24 10.70.79.197 100 0 i
* i200.20.0.0/24 10.70.79.197 100 0 i
Processed 2 prefixes, 2 paths
RP/0/RP0/CPU0:MXC.TAC.L.08-8201-01#show bgp ipv4 flowspec
Network Next Hop Metric LocPrf Weight Path
*>iDest:7.7.7.7/32/48 10.1.13.1 100 0 i
*> Dest:8.8.8.8/32/48 10.1.13.1 0 i
Processed 2 prefixes, 2 paths
RP/0/RP0/CPU0:MXC.TAC.L.08-8201-01#show bgp ipv4 flowspec Dest:7.7.7.7/32/48 $
Mon Aug 30 05:00:44.529 UTC
BGP routing table entry for Dest:7.7.7.7/32/48
NLRI in Hex: 012007070707/48
Versions:
Process bRIB/RIB SendTblVer
Speaker 16 16
Flags: 0x00001001+0x00000000;
Last Modified: Aug 30 04:23:30.743 for 00:37:13
Paths: (1 available, best #1)
Advertised to peers (in unique update groups):
10.1.34.3
Path #1: Received by speaker 0
Flags: 0x2000000001060205, import: 0x20
Advertised to peers (in unique update groups):
10.1.34.3
Local, (Received from a RR-client)
10.1.13.1 from 10.70.79.197 (10.70.79.197), if-handle 0x00000000
Origin IGP, localpref 100, valid, internal, best, group-best
Received Path ID 0, Local Path ID 1, version 16
Extended community: FLOWSPEC Redirect-IP:0
RP/0/RP0/CPU0:MXC.TAC.L.08-8201-01#show bgp ipv4 flowspec summary
<Snip>
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
10.1.34.3 0 100 1388 1407 16 0 0 02:59:21 0
10.70.79.197 0 100 68 63 16 0 0 00:37:29 1
BGP FS Client. #
配置示例:
//Install all rules on all interface
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#show run flowspec
Mon Aug 30 05:09:28.007 UTC
flowspec
local-install interface-all
address-family ipv4
local-install interface-all
!
!
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#show run router bgp
Mon Aug 30 05:09:32.514 UTC
router bgp 100
bgp router-id 10.1.3.3
address-family ipv4 flowspec
!
neighbor-group ibgp-flowspec
remote-as 100
address-family ipv4 flowspec
!
!
neighbor 10.1.34.4
use neighbor-group ibgp-flowspec
!
!
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#
Some command: #
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#show policy-map transient targets type pbr
Mon Aug 30 05:50:22.536 UTC
1) Policymap: __bgpfs_default_IPv4 Type: pbr
Targets (applied as main policy):
TenGigE0/0/0/14.2500 input
TenGigE0/0/0/14 input
HundredGigE0/0/0/20 input
TenGigE0/0/0/14.101 input
TenGigE0/0/0/8 input
Total targets: 5
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#show policy-map transient type pbr pmap-name
% Incomplete command.
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#show policy-map transient type pbr pmap-name __bgpfs_default_IPv4
Mon Aug 30 05:50:53.493 UTC
policy-map type pbr __bgpfs_default_IPv4
handle:0x36000002
table description: L3 IPv4 and IPv6
class handle:0x76000004 sequence 512
match destination-address ipv4 7.7.7.7 255.255.255.255
redirect ipv4 nexthop 10.1.13.1
!
class handle:0x76000003 sequence 1024
match destination-address ipv4 8.8.8.8 255.255.255.255
redirect ipv4 nexthop 10.1.13.1
!
class handle:0x76000005 sequence 2048
match destination-address ipv4 25.1.102.1 255.255.255.255
match protocol udp
match packet length 500-1550
police rate 1000000000 bps
conform-action transmit
exceed-action drop
!
!
class handle:0xf6000002 sequence 4294967295 (class-default)
!
end-policy-map
!
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#show bgp ipv4 flowspec
Mon Aug 30 05:53:20.122 UTC
BGP router identifier 10.1.3.3, local AS number 100
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0 RD version: 9
BGP main routing table version 9
BGP NSR Initial initsync version 1 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>iDest:7.7.7.7/32/48 10.1.13.1 100 0 i
*>iDest:8.8.8.8/32/48 10.1.13.1 100 0 i
*>iDest:25.1.102.1/32,Proto:=17,Length:>=500&<=1550/128
0.0.0.0 100 0 i
Processed 3 prefixes, 3 paths
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#show bgp ipv4 flowspec Dest:25.1.102.1/32,Proto:=17,Length:>=500&<=1550/128 detail
Mon Aug 30 05:53:26.663 UTC
BGP routing table entry for Dest:25.1.102.1/32,Proto:=17,Length:>=500&<=1550/128
NLRI in Hex: 0120190166010381110a1301f4d5060e/128
Versions:
Process bRIB/RIB SendTblVer
Speaker 9 9
Flags: 0x00001001+0x00000000;
Last Modified: Aug 30 05:14:11.832 for 00:39:15
Paths: (1 available, best #1)
Not advertised to any peer
Path #1: Received by speaker 0
Flags: 0x4000000001060005, import: 0x20
Not advertised to any peer
Local
0.0.0.0 from 10.1.34.4 (10.1.4.4), if-handle 0x00000000
Origin IGP, localpref 100, valid, internal, best, group-best
Received Path ID 0, Local Path ID 1, version 9
Extended community: FLOWSPEC Traffic-rate:100,125000000
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#show flowspec afi-all detail
Mon Aug 30 05:53:43.848 UTC
AFI: IPv4
Flow :Dest:7.7.7.7/32
Actions :Nexthop: 10.1.13.1 (bgp.1)
Statistics (packets/bytes)
Matched : 0/0
Dropped : 0/0
Flow :Dest:8.8.8.8/32
Actions :Nexthop: 10.1.13.1 (bgp.1)
Statistics (packets/bytes)
Matched : 2000/236000
Dropped : 0/0
Flow :Dest:25.1.102.1/32,Proto:=17,Length:>=500&<=1550
Actions :Traffic-rate: 1000000000 bps (bgp.1)
Statistics (packets/bytes)
Matched : 0/0
Dropped : 0/0
RP/0/RSP0/CPU0:MXC.TAC.L.08-ASR9901-01#
#show flowspec vrf all ipv4 detail
#show flowspec vrf all afi-all summary internal
#show flowspec vrf all afi-all internal
#show bgp ipv4 flowspec
#show bgp ipv4 flowspec neighbors x.x.x.x received routes
- debug flowspec all
- show flowspec trace manager event error
- show flowspec trace client event error
- show flowspec client internal
- show logging | inc FLOW
- show flowspec vrf all afi-all summary internal
- show flowspec vrf all afi-all internal
- show tech flowspec
参考:
BRKSPG-3012
