Hi List, i do some testing on Bird as FlowSpec Controller. I added a static protocol for inserting flowspec routes: flow4 table flowtab4; # RFC 5575 flow specification protocol static flowstat4 { flow4; route flow4 { src 80.147.231.118/32; dst 185.55.234.2/32; }; } and setting en export filter on the peer to add the needed extended community to discard the traffic: # IPv4 Flowspec (1/133) flow4 { # connects to flowtab4 table by default import all; export filter { # Rate Limit 0 == discard bgp_ext_community.add((generic, 0x80060000, 0x00000000)); accept; }; }; With this approach i can successfully drop all flow4 entries on a cisco ASR 1001-X. But how would i add several flow routes to the flow table and deside differntly on the action? Is it possible to add the community directly to the route entry in the static table, as it is possible in a ipv4 static channel/protocol? I haven't found anything in the documentation. Or do i need to write an filter which match on different flow attributes to set individual actions? Additional i can't really calculate a rate-limit, does someone had an example for this? regards, tim -- Tim Weippert http://weiti.org - weiti@weiti.org GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8
On Thu, Jun 21, 2018 at 08:23:37PM +0200, Tim Weippert wrote:
Hi List,
i do some testing on Bird as FlowSpec Controller. ... With this approach i can successfully drop all flow4 entries on a cisco ASR 1001-X. But how would i add several flow routes to the flow table and deside differntly on the action?
Is it possible to add the community directly to the route entry in the static table, as it is possible in a ipv4 static channel/protocol?
Hi You can attach filter expressions directly to static routes, e.g.: route 10.20.0.0/16 via 10.10.1.1 { ospf_metric_1 = 100; }; For flowspec routes it would look like: route flow4 { src 80.147.231.118/32; dst 185.55.234.2/32; } { # Rate Limit 0 == discard bgp_ext_community.add((generic, 0x80060000, 0x00000000)); }; We are working on a way to specify flow actions in more user-friendly manner. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
HI Ondrej, On Fri, Jun 22, 2018 at 03:17:55AM +0200, Ondrej Zajicek wrote:
On Thu, Jun 21, 2018 at 08:23:37PM +0200, Tim Weippert wrote:
Hi List,
i do some testing on Bird as FlowSpec Controller. ... With this approach i can successfully drop all flow4 entries on a cisco ASR 1001-X. But how would i add several flow routes to the flow table and deside differntly on the action?
Is it possible to add the community directly to the route entry in the static table, as it is possible in a ipv4 static channel/protocol?
Hi
You can attach filter expressions directly to static routes, e.g.:
route 10.20.0.0/16 via 10.10.1.1 { ospf_metric_1 = 100; };
Yes, that is what i know.
For flowspec routes it would look like:
route flow4 { src 80.147.231.118/32; dst 185.55.234.2/32; } { # Rate Limit 0 == discard bgp_ext_community.add((generic, 0x80060000, 0x00000000)); };
Ah ok, just another block with { }, that is one of the few things i haven't tested. Thanks!
We are working on a way to specify flow actions in more user-friendly manner.
That would be great but if it works it is ok :) regards, tim -- Tim Weippert http://weiti.org - weiti@weiti.org GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8
We are working on a way to specify flow actions in more user-friendly manner.
That would be great but if it works it is ok :)
Please check the show-route branch and give me some feedback. I think it is OK and working but we never had enough time to test it properly. Thank you in advance Maria
On Thu, Jun 21, 2018 at 08:23:37PM +0200, Tim Weippert wrote:
Hi List,
[...]
Additional i can't really calculate a rate-limit, does someone had an example for this?
will answer this question myself. --- Calculating rate-limit 50 mbit/s: 50 / 8 == 6.25 MByte/s 6.25 * 1000 * 100 == 6250000 Bytes/s Convert them to Float IEEE754 ( use some online tools, e.g.: http://www.binaryconvert.com/convert_float.html): FloatIEEE754 6250000 == 0x4ABEBC20 --- I write a small Blog Post to document the journey: https://weiti.org/network/2018/06/25/flowspec-bird2-controller Hope this help others. regards, tim
i do some testing on Bird as FlowSpec Controller.
I added a static protocol for inserting flowspec routes:
flow4 table flowtab4;
# RFC 5575 flow specification protocol static flowstat4 { flow4;
route flow4 { src 80.147.231.118/32; dst 185.55.234.2/32; };
}
and setting en export filter on the peer to add the needed extended community to discard the traffic:
# IPv4 Flowspec (1/133) flow4 { # connects to flowtab4 table by default import all; export filter { # Rate Limit 0 == discard bgp_ext_community.add((generic, 0x80060000, 0x00000000)); accept; }; };
With this approach i can successfully drop all flow4 entries on a cisco ASR 1001-X. But how would i add several flow routes to the flow table and deside differntly on the action?
Is it possible to add the community directly to the route entry in the static table, as it is possible in a ipv4 static channel/protocol?
I haven't found anything in the documentation.
Or do i need to write an filter which match on different flow attributes to set individual actions?
Additional i can't really calculate a rate-limit, does someone had an example for this?
regards, tim
-- Tim Weippert http://weiti.org - weiti@weiti.org GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8
-- Tim Weippert http://weiti.org - weiti@weiti.org GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8
participants (3)
-
Jan Maria Matejka -
Ondrej Zajicek -
Tim Weippert