BGP FlowSpec support


In the last comment of this topic: Does RPF filtering support blackhole routes? it is suggested that you could be willing to implement BGP FlowSpec in VyOS if you get some support from someone.

We are very interested in this, and we would be willing to give support, at least with the testing part. However, we were wondering how this would be implemented in VyOS. Would this imply a commit like operation each time a flowspec announcement is received/withdrawn? What would be the scalability of it?

We currently work with thousands of rules in our VyOS boxes, and being able to move, at least part of those (the most dynamic ones), to flowspec rules would be something very interesting, but we are not sure how would that fit with the current VyOS filtering architecture.

What are your thoughts on this?

Thanks a lot!

It would be great to have something like this in vyos. I guess it refers to the functionality of applying firewall rules based on received BGP flowspec ads as Juniper is doing today.

Yes, it would be nice. FlowSpec is very useful. The good news is that FRR now supports it. However, the work depends of a rewrite of the BGP code of VyOS to Python. Interfaces are nearly all converted and hopefully BGP will be one of the next pick-up. There was already discussion on the topic but I can not tell you when it will be exactly, your crystal ball is as good as mine :slight_smile:

So the plan is finally translate the received bgpflow spec announcements in iptables rules?

Could be this a path to avoid to commit the changes in vyos? at least for a non reboot persistance changes…

@darconada … The plan is to migrate the BGP configuration from the old Vyatta configuration style to our new shinny one and when done we will surely be looking at FlowSpec as it is very useful for DDOS mitigation.

I am not sure what FRR (the BGP daemon VyOS uses) does under the hood without looking first as we are not yet at the point (and as I am probably not the person who will perform this BGP migration neither).

Ok. If you need collaboration with flowspec test just let me know I have being using using goBGP for flowspec BGP anouncements and Juniper for BGP flowspec firewall filter implementation. i really love to be able to use vyos for the second part.

It will be with pleasure when we come to it :slight_smile:

I happen to know Flowspec quite well if I dare say so :smiley: :wink:

1 Like

I bet you do… :slight_smile:

1 Like