Filter based on BGP protocol status ...
Hi, I'm quite sure this cannot be done, but I also know there is a lot of BIRD I still don't know, so here it goes: Is there any way to filter a export route based on another BGP session status? For the sake of simplicity let's say we have just two providers A and B, and I only want to export some specific routes to B when A is down. I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it's down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird. I've been scratching my head around this, but unless there is something like if proto.A == down on the filters I don't really see how to do it (Or maybe some way to raise a global flag based on if I'm receiving routes via provider B, but I don't think that can't be done either.) Thanks for your time! Xavier
Hello!
Is there any way to filter a export route based on another BGP session status?
No and it isn't in a short-term plan. The multithreaded version may get some better API to do it, yet I won't promise anything specific.
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
I'd suggest to depreference the B-route by AS path stuffing, like 3-5 times or so, to effectively force usage of the other route while still exporting it. Maria
Hi Maria,
I'd suggest to depreference the B-route by AS path stuffing, like 3-5 times or so, to effectively force usage of the other route while still exporting it.
Yes, that's what we usually do, but we have found providers that if the client IPs are on their own AS -to which we are connected directly- will route directly to us discarting prepending. In this specific scenario, is a service that will be oriented to customers who suffer big DDOS attacks regularly. We have one provider which specializes on DDOS scrubbing services and the ranges for these specific clients will be only announced via that provider to ensure traffic is always filtered. But if the specific provider has an issue or a maintenance we'll have to publish the ranges on other providers and rely on owr DDOS local scrubbing system and blackhole communities for wosrt case scenarios. We already have in place scripts that inject routes on kernel tables when a specific subnet needs to be filtered -and prepended on non DDOS protected providers- so most probably we'll adapt what we already have.
No and it isn't in a short-term plan. The multithreaded version may get some better API to do it, yet I won't promise anything specific.
That would be great. I would also like to use the oportunity to tell you how much do we love Bird! It's been our main BGP system for more than a decade, and it's one of the most flexible and stable pieces of software we use. Congratulations to you and the rest of the team for the amazing work you do! Thanks! Xavier. -----Mensaje original----- De: Bird-users <bird-users-bounces@network.cz> En nombre de Maria Matejka Enviado el: jueves, 24 de marzo de 2022 8:27 Para: bird-users@network.cz Asunto: Re: Filter based on BGP protocol status ... Hello!
Is there any way to filter a export route based on another BGP session status?
No and it isn't in a short-term plan. The multithreaded version may get some better API to do it, yet I won't promise anything specific.
For the sake of simplicity let's say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it's down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I've been scratching my head around this, but unless there is something like if proto.A == down on the filters I don't really see how to do it (Or maybe some way to raise a global flag based on if I'm receiving routes via provider B, but I don't think that can't be done either.)
I'd suggest to depreference the B-route by AS path stuffing, like 3-5 times or so, to effectively force usage of the other route while still exporting it. Maria
I know that it is not the focus of your question, and also is not the focus on this mail list, but... To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API. The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird. This model is used on many tools focused in anomaly detection for triggering DDoS mitigation. But, if your intention is a much simpler scenario, the suggestion Maria made is the most common! You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps. Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io> escreveu:
Hi,
I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes:
Is there any way to filter a export route based on another BGP session status?
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
Thanks for your time!
Xavier
Hi Douglas, Thanks for the tip, I did not know about ExaBGP, seems worth looking into it. We also use Zabbix for the monitoring of our platform, but usually some of these things we prefer to do them using regular shell scripting (And the end, something like a script running every N seconds that checks the status of a specific protocol should not be heavy on the system) because that way it does not depend on external systems. But yes, ExaBGP looks really interesting. We’ll check it out.
You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
Well, we do that usually for DDOS traffic diversion to our scrubbing provider, but we have found some providers we have a direct connection to don’t respect prepending and for this specific case, we need to ensure all the traffic is filtered. Thanks! Xavier. De: Douglas Fischer <fischerdouglas@gmail.com> Enviado el: jueves, 24 de marzo de 2022 11:43 Para: Xavier Trilla <xavier.trilla@clouding.io> CC: BIRD Users <bird-users@network.cz> Asunto: Re: Filter based on BGP protocol status ... I know that it is not the focus of your question, and also is not the focus on this mail list, but... To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API. The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird. This model is used on many tools focused in anomaly detection for triggering DDoS mitigation. But, if your intention is a much simpler scenario, the suggestion Maria made is the most common! You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps. Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io<mailto:xavier.trilla@clouding.io>> escreveu: Hi, I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes: Is there any way to filter a export route based on another BGP session status? For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down. I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird. I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.) Thanks for your time! Xavier
Hi, If you want to do it with Bird, and you have a static set of routes to conditionally announce, you can try to do some trick like that: Take some prefix that should be always announced by A (their own prefix for example). Add separate route table in bird, ex. table_a. Then add a pipe protocol that exports from the main table to table_a only this prefix and only from this peer. Add static protocol attached to table_a with your set of routes to announce, which have some IP from the signaling prefix used as a recursive gateway. When the prefix is absent they'll have unreachable status. Export those routes from table_a to table main filtering out routes with unreachable status. Thus you'll have those routes in the main table conditionally depending on the availability of the signaling prefix from peer A. Hope that works for you. And of course those routes could meddle with other routes in your routing table, but they should only be used for announcing them to bgp, so be careful. On Thu, Mar 24, 2022 at 1:05 PM Xavier Trilla <xavier.trilla@clouding.io> wrote:
Hi Douglas,
Thanks for the tip, I did not know about ExaBGP, seems worth looking into it.
We also use Zabbix for the monitoring of our platform, but usually some of these things we prefer to do them using regular shell scripting (And the end, something like a script running every N seconds that checks the status of a specific protocol should not be heavy on the system) because that way it does not depend on external systems. But yes, ExaBGP looks really interesting. We’ll check it out.
You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
Well, we do that usually for DDOS traffic diversion to our scrubbing provider, but we have found some providers we have a direct connection to don’t respect prepending and for this specific case, we need to ensure all the traffic is filtered.
Thanks!
Xavier.
De: Douglas Fischer <fischerdouglas@gmail.com> Enviado el: jueves, 24 de marzo de 2022 11:43 Para: Xavier Trilla <xavier.trilla@clouding.io> CC: BIRD Users <bird-users@network.cz> Asunto: Re: Filter based on BGP protocol status ...
I know that it is not the focus of your question, and also is not the focus on this mail list, but...
To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API.
The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird.
This model is used on many tools focused in anomaly detection for triggering DDoS mitigation.
But, if your intention is a much simpler scenario, the suggestion Maria made is the most common!
You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io> escreveu:
Hi,
I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes:
Is there any way to filter a export route based on another BGP session status?
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
Thanks for your time!
Xavier
Hi Alexander, Ok, I'm trying to wrap my head around this, so the idea is to filter based on route reachability, forcing recursive routes?
Take some prefix that should be always announced by A (their own prefix for example).
ok, we could try to use one route of their AS (Although the next jump to them is not announced via BGP, is just set in our router manually)
Add separate route table in bird, ex. table_a
ok
Then add a pipe protocol that exports from the main table to table_a only this prefix and only from this peer.
ok
Add static protocol attached to table_a with your set of routes to announce, which have some IP from the signaling prefix used as a recursive gateway.
Ok, here is where I get a bit lost. You mean to put our routes so the next hope is recursive and can only be resolved with the route previously imported from the provider?
When the prefix is absent they'll have unreachable status. Export those routes from table_a to table main filtering out routes with unreachable status. Ok, and we can then export these routes to other providers forcing the next_hop to be us? I think I’m getting the idea, but I will have to test it a bit to better understand it and be sure it could work in our environment. Thanks for the info! Xavier. -----Mensaje original----- De: Alexander Zubkov <green@qrator.net> Enviado el: jueves, 24 de marzo de 2022 13:35 Para: Xavier Trilla <xavier.trilla@clouding.io> CC: Douglas Fischer <fischerdouglas@gmail.com>; BIRD Users <bird-users@network.cz> Asunto: Re: Filter based on BGP protocol status ...
Hi, If you want to do it with Bird, and you have a static set of routes to conditionally announce, you can try to do some trick like that: Take some prefix that should be always announced by A (their own prefix for example). Add separate route table in bird, ex. table_a. Then add a pipe protocol that exports from the main table to table_a only this prefix and only from this peer. Add static protocol attached to table_a with your set of routes to announce, which have some IP from the signaling prefix used as a recursive gateway. When the prefix is absent they'll have unreachable status. Export those routes from table_a to table main filtering out routes with unreachable status. Thus you'll have those routes in the main table conditionally depending on the availability of the signaling prefix from peer A. Hope that works for you. And of course those routes could meddle with other routes in your routing table, but they should only be used for announcing them to bgp, so be careful. On Thu, Mar 24, 2022 at 1:05 PM Xavier Trilla <xavier.trilla@clouding.io> wrote:
Hi Douglas,
Thanks for the tip, I did not know about ExaBGP, seems worth looking into it.
We also use Zabbix for the monitoring of our platform, but usually some of these things we prefer to do them using regular shell scripting (And the end, something like a script running every N seconds that checks the status of a specific protocol should not be heavy on the system) because that way it does not depend on external systems. But yes, ExaBGP looks really interesting. We’ll check it out.
You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
Well, we do that usually for DDOS traffic diversion to our scrubbing provider, but we have found some providers we have a direct connection to don’t respect prepending and for this specific case, we need to ensure all the traffic is filtered.
Thanks!
Xavier.
De: Douglas Fischer <fischerdouglas@gmail.com> Enviado el: jueves, 24 de marzo de 2022 11:43 Para: Xavier Trilla <xavier.trilla@clouding.io> CC: BIRD Users <bird-users@network.cz> Asunto: Re: Filter based on BGP protocol status ...
I know that it is not the focus of your question, and also is not the focus on this mail list, but...
To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API.
The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird.
This model is used on many tools focused in anomaly detection for triggering DDoS mitigation.
But, if your intention is a much simpler scenario, the suggestion Maria made is the most common!
You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io> escreveu:
Hi,
I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes:
Is there any way to filter a export route based on another BGP session status?
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
Thanks for your time!
Xavier
On Thu, Mar 24, 2022 at 01:46:26PM +0000, Xavier Trilla wrote:
Hi Alexander,
Ok, I'm trying to wrap my head around this, so the idea is to filter based on route reachability, forcing recursive routes?
I agree with Alexander, that is a pretty elegant way to solve this issue.
Add static protocol attached to table_a with your set of routes to announce, which have some IP from the signaling prefix used as a recursive gateway.
Ok, here is where I get a bit lost. You mean to put our routes so the next hope is recursive and can only be resolved with the route previously imported from the provider?
Yes, that is the idea.
When the prefix is absent they'll have unreachable status. Export those routes from table_a to table main filtering out routes with unreachable status. Ok, and we can then export these routes to other providers forcing the next_hop to be us?
Generally bgp_next_hop is rewritten automatically when propagating through EBGP to peers on other ifaces, but you can make it rewrite manually when propagating from table_a to table main. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Thu 24 Mar 2022 07:43:03 GMT, Douglas Fischer wrote:
I know that it is not the focus of your question, and also is not the focus on this mail list, but...
To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API.
The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird.
This model is used on many tools focused in anomaly detection for triggering DDoS mitigation.
But, if your intention is a much simpler scenario, the suggestion Maria made is the most common! You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io> escreveu:
Hi,
I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes:
Is there any way to filter a export route based on another BGP session status?
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
Thanks for your time!
Xavier
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
We tried, but some providers basically ignore everything if you have a direct connection with them. They just forward you the traffic despite prepending or localpref. Thanks! Xavier. -----Mensaje original----- De: Bird-users <bird-users-bounces@network.cz> En nombre de Alarig Le Lay Enviado el: jueves, 24 de marzo de 2022 13:43 Para: bird-users@network.cz Asunto: Re: Filter based on BGP protocol status ... On Thu 24 Mar 2022 07:43:03 GMT, Douglas Fischer wrote:
I know that it is not the focus of your question, and also is not the focus on this mail list, but...
To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API.
The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird.
This model is used on many tools focused in anomaly detection for triggering DDoS mitigation.
But, if your intention is a much simpler scenario, the suggestion Maria made is the most common! You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io> escreveu:
Hi,
I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes:
Is there any way to filter a export route based on another BGP session status?
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
Thanks for your time!
Xavier
I pretty sure that you already know that, and probably already heard that... But you should not do business with companies like that one. Em qui., 24 de mar. de 2022 11:09, Xavier Trilla <xavier.trilla@clouding.io> escreveu:
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
We tried, but some providers basically ignore everything if you have a direct connection with them. They just forward you the traffic despite prepending or localpref.
Thanks! Xavier.
-----Mensaje original----- De: Bird-users <bird-users-bounces@network.cz> En nombre de Alarig Le Lay Enviado el: jueves, 24 de marzo de 2022 13:43 Para: bird-users@network.cz Asunto: Re: Filter based on BGP protocol status ...
On Thu 24 Mar 2022 07:43:03 GMT, Douglas Fischer wrote:
I know that it is not the focus of your question, and also is not the focus on this mail list, but...
To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API.
The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird.
This model is used on many tools focused in anomaly detection for triggering DDoS mitigation.
But, if your intention is a much simpler scenario, the suggestion Maria made is the most common! You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io> escreveu:
Hi,
I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes:
Is there any way to filter a export route based on another BGP session status?
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
Thanks for your time!
Xavier
I pretty sure that you already know that, and probably already heard that... But you should not do business with companies like that one.
Well, I wont say who, but I’m referring to a big DIA European provider (Really good providers besides this specific issue)… But yeah, I hate when they just ignore our prepending. If the attacking IP belongs to the specific provider AS number, the traffic will be delivered directly by the DIA we have. De: Douglas Fischer <fischerdouglas@gmail.com> Enviado el: jueves, 24 de marzo de 2022 23:06 Para: Xavier Trilla <xavier.trilla@clouding.io> CC: Alarig Le Lay <alarig@swordarmor.fr>; BIRD Users <bird-users@network.cz> Asunto: Re: Filter based on BGP protocol status ... I pretty sure that you already know that, and probably already heard that... But you should not do business with companies like that one. Em qui., 24 de mar. de 2022 11:09, Xavier Trilla <xavier.trilla@clouding.io<mailto:xavier.trilla@clouding.io>> escreveu:
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
We tried, but some providers basically ignore everything if you have a direct connection with them. They just forward you the traffic despite prepending or localpref. Thanks! Xavier. -----Mensaje original----- De: Bird-users <bird-users-bounces@network.cz<mailto:bird-users-bounces@network.cz>> En nombre de Alarig Le Lay Enviado el: jueves, 24 de marzo de 2022 13:43 Para: bird-users@network.cz<mailto:bird-users@network.cz> Asunto: Re: Filter based on BGP protocol status ... On Thu 24 Mar 2022 07:43:03 GMT, Douglas Fischer wrote:
I know that it is not the focus of your question, and also is not the focus on this mail list, but...
To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API.
The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird.
This model is used on many tools focused in anomaly detection for triggering DDoS mitigation.
But, if your intention is a much simpler scenario, the suggestion Maria made is the most common! You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io<mailto:xavier.trilla@clouding.io>> escreveu:
Hi,
I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes:
Is there any way to filter a export route based on another BGP session status?
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
Thanks for your time!
Xavier
If alternative paths for this provider goes via transits then it's absolutely normal and expected that prepends that you send are ignored because local-pref on their side will be decisive tie breaker. I don't see here any reason to complain on the provider that they implement perfectly normal traffic engineering. In such cases what left for you is to play with de-aggregation of prefixes on other links that you want to prefer or have serious discussion with your partner if it's not reasonable to implement communities with results which you expect to see or play with traffic scrubbing/filtering/BGP flowspec. Regards, Grzegorz From: Xavier Trilla <xavier.trilla@clouding.io> Date: Friday 2022-03-25 at 14:38 To: Douglas Fischer <fischerdouglas@gmail.com> Cc: BIRD Users <bird-users@network.cz> Subject: RE: Filter based on BGP protocol status ...
I pretty sure that you already know that, and probably already heard that... But you should not do business with companies like that one.
Well, I wont say who, but I’m referring to a big DIA European provider (Really good providers besides this specific issue)… But yeah, I hate when they just ignore our prepending. If the attacking IP belongs to the specific provider AS number, the traffic will be delivered directly by the DIA we have. De: Douglas Fischer <fischerdouglas@gmail.com> Enviado el: jueves, 24 de marzo de 2022 23:06 Para: Xavier Trilla <xavier.trilla@clouding.io> CC: Alarig Le Lay <alarig@swordarmor.fr>; BIRD Users <bird-users@network.cz> Asunto: Re: Filter based on BGP protocol status ... I pretty sure that you already know that, and probably already heard that... But you should not do business with companies like that one. Em qui., 24 de mar. de 2022 11:09, Xavier Trilla <xavier.trilla@clouding.io<mailto:xavier.trilla@clouding.io>> escreveu:
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
We tried, but some providers basically ignore everything if you have a direct connection with them. They just forward you the traffic despite prepending or localpref. Thanks! Xavier. -----Mensaje original----- De: Bird-users <bird-users-bounces@network.cz<mailto:bird-users-bounces@network.cz>> En nombre de Alarig Le Lay Enviado el: jueves, 24 de marzo de 2022 13:43 Para: bird-users@network.cz<mailto:bird-users@network.cz> Asunto: Re: Filter based on BGP protocol status ... On Thu 24 Mar 2022 07:43:03 GMT, Douglas Fischer wrote:
I know that it is not the focus of your question, and also is not the focus on this mail list, but...
To that kind of automation, the best BGP engine you will find is ExaBGP. It is not focuses in been in compliance with all the concepts of a routing system itself. It's focus is exactly automations using API.
The scenario you described triggered-me something like a Zabbix looking to the status of BGP sessions of bird, and based on that doing API queries to a ExaBGP that is a iBGP peer of Bird.
This model is used on many tools focused in anomaly detection for triggering DDoS mitigation.
But, if your intention is a much simpler scenario, the suggestion Maria made is the most common! You can used also some BGP communities(if your upstream supports it) for no-export for some prefixes... Sometimes it helps.
More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.
Em qua., 23 de mar. de 2022 12:10, Xavier Trilla <xavier.trilla@clouding.io<mailto:xavier.trilla@clouding.io>> escreveu:
Hi,
I’m quite sure this cannot be done, but I also know there is a lot of BIRD I still don’t know, so here it goes:
Is there any way to filter a export route based on another BGP session status?
For the sake of simplicity let’s say we have just two providers A and B, and I only want to export some specific routes to B when A is down.
I can do it externally with a quite simple script (For example: Check if the provider is down via CLI and if it’s down insert the routes I want to export to a kernel table and export that to provider B) but it would be nice if I could do it directly in Bird.
I’ve been scratching my head around this, but unless there is something like if proto.A == down on the filters I don’t really see how to do it (Or maybe some way to raise a global flag based on if I’m receiving routes via provider B, but I don’t think that can’t be done either.)
Thanks for your time!
Xavier
participants (7)
-
Alarig Le Lay -
Alexander Zubkov -
Douglas Fischer -
Maria Matejka -
Ondrej Zajicek -
Ponikierski, Grzegorz -
Xavier Trilla