BGP FlowSpec support

Hi,

In the last comment of this topic: Does RPF filtering support blackhole routes? - #3 by bbs2web it is suggested that you could be willing to implement BGP FlowSpec in VyOS if you get some support from someone.

We are very interested in this, and we would be willing to give support, at least with the testing part. However, we were wondering how this would be implemented in VyOS. Would this imply a commit like operation each time a flowspec announcement is received/withdrawn? What would be the scalability of it?

We currently work with thousands of rules in our VyOS boxes, and being able to move, at least part of those (the most dynamic ones), to flowspec rules would be something very interesting, but we are not sure how would that fit with the current VyOS filtering architecture.

What are your thoughts on this?

Thanks a lot!

It would be great to have something like this in vyos. I guess it refers to the functionality of applying firewall rules based on received BGP flowspec ads as Juniper is doing today.

Yes, it would be nice. FlowSpec is very useful. The good news is that FRR now supports it. However, the work depends of a rewrite of the BGP code of VyOS to Python. Interfaces are nearly all converted and hopefully BGP will be one of the next pick-up. There was already discussion on the topic but I can not tell you when it will be exactly, your crystal ball is as good as mine :slight_smile:

So the plan is finally translate the received bgpflow spec announcements in iptables rules?

Could be this a path to avoid to commit the changes in vyos? at least for a non reboot persistance changes…

@darconada … The plan is to migrate the BGP configuration from the old Vyatta configuration style to our new shinny one and when done we will surely be looking at FlowSpec as it is very useful for DDOS mitigation.

I am not sure what FRR (the BGP daemon VyOS uses) does under the hood without looking first as we are not yet at the point (and as I am probably not the person who will perform this BGP migration neither).

Ok. If you need collaboration with flowspec test just let me know I have being using using goBGP for flowspec BGP anouncements and Juniper for BGP flowspec firewall filter implementation. i really love to be able to use vyos for the second part.

It will be with pleasure when we come to it :slight_smile:

I happen to know Flowspec quite well if I dare say so :smiley: :wink:

1 Like

I bet you do… :slight_smile:

1 Like

Hello,

we are also very interested concerning the feature. This topic was created over 1 year ago, do you have any fresh information about the implementation of this feature?
As darconada, we also could bring collaboration (test the feature in lab and production environments) if needed.

Thank you.
Alejandro

This feature is present in 1.4

vyos@r11-roll# set protocols bgp neighbor 203.0.113.1 address-family ipv4-flowspec 
Possible completions:
 > filter-list  as-path-list to filter route updates to/from this peer
 > prefix-list  IPv4-Prefix-list to filter route updates to/from this peer
 > route-map    Route-map to filter route updates to/from this peer
   route-reflector-client
                Peer is a route reflector client
   route-server-client
                Peer is a route server client
 > soft-reconfiguration
                Soft reconfiguration for peer
1 Like

Hello,

We are doing test concerning the Flowspec, and we can see this message: “not installed in PBR”. Please take a look to this output:
vyos@vyos1acf:~$ show bgp ipv4 flowspec detail
BGP flowspec entry: (flags 0x418)
Destination Address 0.0.0.0/0
Source Address 15.86.54.221/32
Destination Port >= 0 , <= 65535
Source Port >= 49160 , <= 49163
NH:10.100.1.101:0 FS:action eval stops
received for 00:41:05
not installed in PBR
BGP flowspec entry: (flags 0x418)
Destination Address 0.0.0.0/0
Source Address 15.86.54.221/32
Destination Port >= 0 , <= 65535
Source Port >= 49164 , <= 49167
NH:10.100.2.101:0 FS:action eval stops
received for 00:17:12
not installed in PBR
BGP flowspec entry: (flags 0x418)
Destination Address 0.0.0.0/0
Source Address 15.86.54.221/32
Source Port >= 49160 , <= 65535
FS:rate 0.000000
received for 00:41:05
not installed in PBR

vyos@vyos2acf:~$ sh version
Version: VyOS 1.4-rolling-202210200800
Release train: current

Built by: autobuild@vyos.net
Built on: Thu 20 Oct 2022 08:00 UTC
Build UUID: 32212799-8fad-49e4-bf46-855968710e14
Build commit ID: 98450c47b40a2f

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: 88dab7d2-0b72-4254-9f06-d8f4070ef4be

Copyright: VyOS maintainers and contributors

There is a command to enable or something else we are missing? If you need more information, do not hesitate to ask it, I will provide you with configuration commands or whatever.

Thank you very much.

Best regards,
Alejandro Castaño Fernández

It can’t be used as a filter system/policy right now, just establish bgp and send flowspec session and send/receive flowspec route

The firewall/policy on base flowspec is not implemented yet

Thank you for the quick answer.
Is there a release planned for PBR flowspec ?

It is still a question of how to parse flowspec routes/updates
In my internal tests, I used ExaBGP for parsing flowspec updates and generating rules for VyOS
But I’m sure there is a best way. Needs to parse FRR