Bird as BGP flow-spec announcement filter
Hello, is it possible to do BGP Flowspec announcement filtering with Bird? For ex. I want to provide capability to my customer to annouce to my network BGP Flowspec rules. However, I must check, if announced rule have dst from customers IP range. Bird should act as route reflector only. Thanks, Blažej
Hi, i tried with a 2.0.8 and it seems you can do something like: show route table TF_AS203759_v4 filter { if net.dst ~ [ 192.168.0.0/16+] then accept; } I only checked it within the CLI but asume, that the filter also works as import/export filter for the flowspec peering. Another valid search scope may be net.src for source filtering. HTH, tim On Sat, Jan 08, 2022 at 12:44:53PM +0100, Blažej Krajňák wrote:
Hello,
is it possible to do BGP Flowspec announcement filtering with Bird? For ex. I want to provide capability to my customer to annouce to my network BGP Flowspec rules. However, I must check, if announced rule have dst from customers IP range. Bird should act as route reflector only.
Thanks, Blažej
-- Tim Weippert http://weiti.org - weiti@weiti.org GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8
Hi all, as far I know developers added just recently support for RFC 5575 sec. 6 and RFC 8955 (in scheduled version 2.0.9), which will validate flow-spec rules against unicast routing table. We were waiting for this feature too, so good job, Ondrej! Marian -- Marian Rychtecký mr@nix.cz Phone +420 724 397 441 NIX.CZ z.s.p.o. Americká 23, Praha 2 130 52 Czech Republic http://www.nix.cz ------ Original Message ------ From: "Blažej Krajňák" <blazej.krajnak@gmail.com> To: bird-users@network.cz Sent: 08-Jan-22 12:44:53 Subject: Bird as BGP flow-spec announcement filter
Hello,
is it possible to do BGP Flowspec announcement filtering with Bird? For ex. I want to provide capability to my customer to annouce to my network BGP Flowspec rules. However, I must check, if announced rule have dst from customers IP range. Bird should act as route reflector only.
Thanks, Blažej
Hi, great to hear that. Are these new changes publicly available to test? I could not find on Gitlab.
On Mon, Jan 10, 2022 at 06:57:29PM +0100, Blažej Krajňák wrote:
Hi,
great to hear that. Are these new changes publicly available to test? I could not find on Gitlab.
Hi It is branch oz-trie-table ( https://gitlab.nic.cz/labs/bird/-/tree/oz-trie-table ), commit d045831327dd0762054b7515619d5a3ebdffdb19 . For manual filters, net.src and net.dst should also work. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (4)
-
Blažej Krajňák -
Marian Rychtecky -
Ondrej Zajicek -
Tim Weippert