BGP FLOWSPEC – ALLOWING TELNET AND BLOCKING ICMP VIA BGP ?
Jan 26
jncie, Juniper BGP FLOWSPEC 2 Comments
Hi,
BGP within Juniper Implementation has a address family Flow. Interestingly, this is implemented by Juniper (or atleast Documented so) much before the BGP FLOWSPEC RFC standardization. The Crux of the topic is to mitigate DDOS.
Two Main Perspectives – Proactive and Reactive (from Service Provider Perspective)
a. Customer Informing DDOS automatically to SP Through Routing Updates
b. Customer Informing DDOS and then Service Provider acting on it on their own
Juniper Documentation:
http://www.juniper.net/documentation/en_US/junos15.1/topics/example/routing-bgp-flow-specification-routes.html
Coming to the sample topology – INTERDOMAIN DDOS MITIGATION EXAMPLE
Requirement / ASK – Customer finds that 3.3.3.3/32 has a Massive hit for ICMP and wants to Block it temporarily while other services like TELNET should still be operative and functional.
Lets Quickly look at current state of operations at their defaults
BGP Between R1 , R2 AND R2 , R3 looks fine and ping is reachable as well as telnet, no problems there
Enabling Family Flow between SP routers R1 and R2 and PE-CE R2 and R3
Enabling Flow on Customer Router under Routing Options
Advertising Route
Lets test the Result on R1
As we can see the ping is blocked now , you can see the communities also the protocol 1 is advertised in Inet-flow which indicates ICMP blockage
Lets see the final view on R2, we can see that there is a firewall Filter automatically installed for Control plane for R1/R2/R3 on all incoming interfaces blocking the requirement
This is an Attempt to understand Flow-Spec Feature, this is vast and has many Knobs to deal with.
Regards
Rakesh M