In the last comment of this topic: Does RPF filtering support blackhole routes? it is suggested that you could be willing to implement BGP FlowSpec in VyOS if you get some support from someone.
We are very interested in this, and we would be willing to give support, at least with the testing part. However, we were wondering how this would be implemented in VyOS. Would this imply a commit like operation each time a flowspec announcement is received/withdrawn? What would be the scalability of it?
We currently work with thousands of rules in our VyOS boxes, and being able to move, at least part of those (the most dynamic ones), to flowspec rules would be something very interesting, but we are not sure how would that fit with the current VyOS filtering architecture.
What are your thoughts on this?
Thanks a lot!