SlideShare ist ein Scribd-Unternehmen logo

Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi

MyNOG
MyNOG
Internet
1 von 12
Downloaden Sie, um offline zu lesen
MyNOG, 21st August 2014 Mohd Izni Zuhdi Mohamed Rawi izni@tm.com.my
BGP Flow Specs Overview •  Dissemination of Flow Specification Rules •  Defined in RFC 5575, in year 2009 •  Leverages BGP as a method to distribute flow information and the actions to be taken •  As a tool for mitigating DDoS •  Can be used for traffic filtering in BGP/MPLS VPN environment as well
Problem Statement Legitimate traffic Illegitimate traffic
Prior to BGP Flow Spec, RTBH is used •  Remote Triggered Blackhole •  Changes the next-hop of the destination address to a discard interface, dropping traffic at network edges •  Only destination address and drop action can be specified •  Filtering is mixed with routing
Remote Triggered Blackhole Legitimate traffic Illegitimate traffic Dest: 1.1.1.1/32 Action: Drop Control info 1.1.1.1/24 2.2.2.2/24
BGP Flow Spec is more flexible (1/2) •  New set of NLRI is introduced Type 1: Match on Destination IP Prefix Type 2: Match on Source IP Prefix Type 3: Match on IP Protocol Type 4: Match on Source OR Destination TCP/UDP Port Type 5: Match on Destination TCP/UDP Port Type 6: Match on Source TCP/UDP Port Type 7: Match on Type fields in ICMP packet Type 8: Match on Code fields in ICMP packet Type 9: Match on various TCP Flags Type 10: Match on Packet Length, excluding L2 headers Type 11: Match on DSCP Value Type 12: Match on Fragment Encoding – DF, First Fragment, Last Fragment, Is a Fragment
BGP Flow Spec is more flexible (2/2) •  Multiple traffic filtering actions are possible •  Carried in extended community Ø  Traffic-rate – defined in bytes/sec, likely use is for policing certain application Ø  Traffic-action – sampling & logging, subsequent traffic filtering rules Ø  Redirect – redirects to a specified VRF based on Route Target Ø  Traffic-marking – modifies DSCP to the set values
Example 1: Provider advertises Flow Spes 1.1.1.1/24 2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
Example 2: Customer injects Flow Specs 1.1.1.1/24 2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
Validation Procedure •  Before an advertisement is accepted, it is validated based on these : Ø  The originator matches the best-match unicast route for the destination prefix in the flow specification Ø  There are no more-specific unicast route compared to the flow destination prefix that has been received from a different neighbouring AS than the best-match unicast route determined in above step
Work in progress •  Dissemination of Flow Specification Rules for IPv6 •  draft-ietf-idr-flow-spec-v6-05 (exp 21/09/14) •  BGP Flow-Spec Ext Community for Traffic Redirect to IP Next Hop •  draft-simpson-idr-flowspec-redirect-02 (exp 26/05/13)
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi

Empfohlen

Prefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamPrefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul Islam
MyNOG
 
Traffic analysis for Planning, Peering and Security by Julie Liu
Traffic analysis for Planning, Peering and Security by Julie LiuTraffic analysis for Planning, Peering and Security by Julie Liu
Traffic analysis for Planning, Peering and Security by Julie Liu
MyNOG
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
APNIC
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
Juniper Networks
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet Connections
Rowell Dionicio
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
Fakrul Alam
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
Vamsidhar Naidu
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Fakrul Alam
 

Empfohlen

Prefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamPrefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul Islam
MyNOG
 
Traffic analysis for Planning, Peering and Security by Julie Liu
Traffic analysis for Planning, Peering and Security by Julie LiuTraffic analysis for Planning, Peering and Security by Julie Liu
Traffic analysis for Planning, Peering and Security by Julie Liu
MyNOG
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
APNIC
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
Juniper Networks
 
Using BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet ConnectionsUsing BGP To Manage Dual Internet Connections
Using BGP To Manage Dual Internet Connections
Rowell Dionicio
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
Fakrul Alam
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
Vamsidhar Naidu
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Fakrul Alam
 
bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
Noor Ul Hudda Memon
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGP
Olivier Bonaventure
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
ShortestPathFirst
 
BGP Overview
BGP OverviewBGP Overview
BGP Overview
Matt Bynum
 
Secure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of BangladeshSecure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of Bangladesh
Bangladesh Network Operators Group
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing Daemon
APNIC
 
Bgp
BgpBgp
Bgp
Febrian ‎
 
IP/MAC Address Translation
IP/MAC Address TranslationIP/MAC Address Translation
IP/MAC Address Translation
Ismail Mukiibi
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
Zobair Khan
 
SGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopSGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshop
APNIC
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
Border gateway protocol
Border gateway protocolBorder gateway protocol
Border gateway protocol
sahilnarvekar
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service provider
Thomas Mangin
 
ETE405-lec9.pdf
ETE405-lec9.pdfETE405-lec9.pdf
ETE405-lec9.pdf
mashiur
 
Innovation is back in the transport and network layers
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layers
Olivier Bonaventure
 
BGP
BGPBGP
BGP
Totan Banik
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
NaveenLakshman
 
IETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPIETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTP
Victor Pascual Ávila
 
TCPLS presentation @ietf 109
TCPLS presentation @ietf 109TCPLS presentation @ietf 109
TCPLS presentation @ietf 109
Olivier Bonaventure
 
Traffic Characterization
Traffic CharacterizationTraffic Characterization
Traffic Characterization
Ismail Mukiibi
 
2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External
Interop Tokyo ShowNet NOC Team
 
Bgpcep odl summit 2015
Bgpcep odl summit 2015Bgpcep odl summit 2015
Bgpcep odl summit 2015
Giles Heron
 

Weitere ähnliche Inhalte

Was ist angesagt?

Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
Zobair Khan
 
ETE405-lec9.pdf
ETE405-lec9.pdfETE405-lec9.pdf
ETE405-lec9.pdf
mashiur
 
BGP
BGPBGP
BGP
Totan Banik
 

Was ist angesagt? (20)

bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGP
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
BGP Overview
BGP OverviewBGP Overview
BGP Overview
 
Secure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of BangladeshSecure BGP and Operational Report of Bangladesh
Secure BGP and Operational Report of Bangladesh
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing Daemon
 
Bgp
BgpBgp
Bgp
 
IP/MAC Address Translation
IP/MAC Address TranslationIP/MAC Address Translation
IP/MAC Address Translation
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
 
SGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshopSGNOG2 - Using communities for multihoming ISP workshop
SGNOG2 - Using communities for multihoming ISP workshop
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 
Border gateway protocol
Border gateway protocolBorder gateway protocol
Border gateway protocol
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service provider
 
ETE405-lec9.pdf
ETE405-lec9.pdfETE405-lec9.pdf
ETE405-lec9.pdf
 
Innovation is back in the transport and network layers
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layers
 
BGP
BGPBGP
BGP
 
Rpki -manrs_(7_september)
Rpki -manrs_(7_september)Rpki -manrs_(7_september)
Rpki -manrs_(7_september)
 
IETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPIETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTP
 
TCPLS presentation @ietf 109
TCPLS presentation @ietf 109TCPLS presentation @ietf 109
TCPLS presentation @ietf 109
 
Traffic Characterization
Traffic CharacterizationTraffic Characterization
Traffic Characterization
 

Andere mochten auch

Andere mochten auch (11)

2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External
 
Bgpcep odl summit 2015
Bgpcep odl summit 2015Bgpcep odl summit 2015
Bgpcep odl summit 2015
 
BGP Monitoring Protocol
BGP Monitoring ProtocolBGP Monitoring Protocol
BGP Monitoring Protocol
 
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 Sho...
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
BGP persistence
BGP persistenceBGP persistence
BGP persistence
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
LISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchLISP and NSH in Open vSwitch
LISP and NSH in Open vSwitch
 

Ähnlich wie Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi

PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PROIDEA
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
 
Network Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronNetwork Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack Neutron
Sumit Naiksatam
 

Ähnlich wie Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi (20)

PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Border Gatway Protocol
Border Gatway ProtocolBorder Gatway Protocol
Border Gatway Protocol
 
CCNP Route
CCNP Route CCNP Route
CCNP Route
 
Implementation of intelligent wide area network(wan)
Implementation of intelligent wide area network(wan)Implementation of intelligent wide area network(wan)
Implementation of intelligent wide area network(wan)
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
Qs.pptx
Qs.pptxQs.pptx
Qs.pptx
 
【EPN Seminar Nov.10. 2015】 パネルディスカッション その2: BGP Peering Engineering Automatio...
【EPN Seminar Nov.10. 2015】 パネルディスカッション その2: BGP Peering Engineering Automatio...【EPN Seminar Nov.10. 2015】 パネルディスカッション その2: BGP Peering Engineering Automatio...
【EPN Seminar Nov.10. 2015】 パネルディスカッション その2: BGP Peering Engineering Automatio...
 
2017 01-31-cgns
2017 01-31-cgns2017 01-31-cgns
2017 01-31-cgns
 
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGPNP - Unit 5 - Bootstrap, Autoconfigurion and BGP
NP - Unit 5 - Bootstrap, Autoconfigurion and BGP
 
Network Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronNetwork Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack Neutron
 
Lte default and dedicated bearer / VoLTE
Lte default and dedicated bearer / VoLTELte default and dedicated bearer / VoLTE
Lte default and dedicated bearer / VoLTE
 
Real-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOSReal-Time Streaming Protocol -QOS
Real-Time Streaming Protocol -QOS
 
Routing algorithms
Routing algorithmsRouting algorithms
Routing algorithms
 
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
 
PLNOG15: BGP New Advanced Features - Piotr Wojciechowski
PLNOG15: BGP New Advanced Features - Piotr WojciechowskiPLNOG15: BGP New Advanced Features - Piotr Wojciechowski
PLNOG15: BGP New Advanced Features - Piotr Wojciechowski
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)
 
Unit 4-Transport Layer Protocols-3.pptx
Unit 4-Transport Layer Protocols-3.pptxUnit 4-Transport Layer Protocols-3.pptx
Unit 4-Transport Layer Protocols-3.pptx
 
Unit 4-Transport Layer Protocols.pptx
Unit 4-Transport Layer Protocols.pptxUnit 4-Transport Layer Protocols.pptx
Unit 4-Transport Layer Protocols.pptx
 
Routed networks sydney
Routed networks sydneyRouted networks sydney
Routed networks sydney
 

Mehr von MyNOG

MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
MyNOG
 

Mehr von MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 

Kürzlich hochgeladen

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 

Kürzlich hochgeladen (20)

Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 

Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi

  • 1. MyNOG, 21st August 2014 Mohd Izni Zuhdi Mohamed Rawi izni@tm.com.my
  • 2. BGP Flow Specs Overview •  Dissemination of Flow Specification Rules •  Defined in RFC 5575, in year 2009 •  Leverages BGP as a method to distribute flow information and the actions to be taken •  As a tool for mitigating DDoS •  Can be used for traffic filtering in BGP/MPLS VPN environment as well
  • 4. Prior to BGP Flow Spec, RTBH is used •  Remote Triggered Blackhole •  Changes the next-hop of the destination address to a discard interface, dropping traffic at network edges •  Only destination address and drop action can be specified •  Filtering is mixed with routing
  • 5. Remote Triggered Blackhole Legitimate traffic Illegitimate traffic Dest: 1.1.1.1/32 Action: Drop Control info 1.1.1.1/24 2.2.2.2/24
  • 6. BGP Flow Spec is more flexible (1/2) •  New set of NLRI is introduced Type 1: Match on Destination IP Prefix Type 2: Match on Source IP Prefix Type 3: Match on IP Protocol Type 4: Match on Source OR Destination TCP/UDP Port Type 5: Match on Destination TCP/UDP Port Type 6: Match on Source TCP/UDP Port Type 7: Match on Type fields in ICMP packet Type 8: Match on Code fields in ICMP packet Type 9: Match on various TCP Flags Type 10: Match on Packet Length, excluding L2 headers Type 11: Match on DSCP Value Type 12: Match on Fragment Encoding – DF, First Fragment, Last Fragment, Is a Fragment
  • 7. BGP Flow Spec is more flexible (2/2) •  Multiple traffic filtering actions are possible •  Carried in extended community Ø  Traffic-rate – defined in bytes/sec, likely use is for policing certain application Ø  Traffic-action – sampling & logging, subsequent traffic filtering rules Ø  Redirect – redirects to a specified VRF based on Route Target Ø  Traffic-marking – modifies DSCP to the set values
  • 8. Example 1: Provider advertises Flow Spes 1.1.1.1/24 2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
  • 9. Example 2: Customer injects Flow Specs 1.1.1.1/24 2.2.2.2/24 Dest IP: 1.1.1.1/32 Dest Port: 23 Action: Rate-limit
  • 10. Validation Procedure •  Before an advertisement is accepted, it is validated based on these : Ø  The originator matches the best-match unicast route for the destination prefix in the flow specification Ø  There are no more-specific unicast route compared to the flow destination prefix that has been received from a different neighbouring AS than the best-match unicast route determined in above step
  • 11. Work in progress •  Dissemination of Flow Specification Rules for IPv6 •  draft-ietf-idr-flow-spec-v6-05 (exp 21/09/14) •  BGP Flow-Spec Ext Community for Traffic Redirect to IP Next Hop •  draft-simpson-idr-flowspec-redirect-02 (exp 26/05/13)