We are very interested in this, and we would be willing to give support, at least with the testing part. However, we were wondering how this would be implemented in VyOS. Would this imply a commit like operation each time a flowspec announcement is received/withdrawn? What would be the scalability of it?
We currently work with thousands of rules in our VyOS boxes, and being able to move, at least part of those (the most dynamic ones), to flowspec rules would be something very interesting, but we are not sure how would that fit with the current VyOS filtering architecture.
It would be great to have something like this in vyos. I guess it refers to the functionality of applying firewall rules based on received BGP flowspec ads as Juniper is doing today.
Yes, it would be nice. FlowSpec is very useful. The good news is that FRR now supports it. However, the work depends of a rewrite of the BGP code of VyOS to Python. Interfaces are nearly all converted and hopefully BGP will be one of the next pick-up. There was already discussion on the topic but I can not tell you when it will be exactly, your crystal ball is as good as mine
@darconada … The plan is to migrate the BGP configuration from the old Vyatta configuration style to our new shinny one and when done we will surely be looking at FlowSpec as it is very useful for DDOS mitigation.
I am not sure what FRR (the BGP daemon VyOS uses) does under the hood without looking first as we are not yet at the point (and as I am probably not the person who will perform this BGP migration neither).
Ok. If you need collaboration with flowspec test just let me know I have being using using goBGP for flowspec BGP anouncements and Juniper for BGP flowspec firewall filter implementation. i really love to be able to use vyos for the second part.
we are also very interested concerning the feature. This topic was created over 1 year ago, do you have any fresh information about the implementation of this feature?
As darconada, we also could bring collaboration (test the feature in lab and production environments) if needed.
vyos@r11-roll# set protocols bgp neighbor 203.0.113.1 address-family ipv4-flowspec
Possible completions:
> filter-list as-path-list to filter route updates to/from this peer
> prefix-list IPv4-Prefix-list to filter route updates to/from this peer
> route-map Route-map to filter route updates to/from this peer
route-reflector-client
Peer is a route reflector client
route-server-client
Peer is a route server client
> soft-reconfiguration
Soft reconfiguration for peer
We are doing test concerning the Flowspec, and we can see this message: “not installed in PBR”. Please take a look to this output:
vyos@vyos1acf:~$ show bgp ipv4 flowspec detail
BGP flowspec entry: (flags 0x418)
Destination Address 0.0.0.0/0
Source Address 15.86.54.221/32
Destination Port >= 0 , <= 65535
Source Port >= 49160 , <= 49163
NH:10.100.1.101:0 FS:action eval stops
received for 00:41:05
not installed in PBR
BGP flowspec entry: (flags 0x418)
Destination Address 0.0.0.0/0
Source Address 15.86.54.221/32
Destination Port >= 0 , <= 65535
Source Port >= 49164 , <= 49167
NH:10.100.2.101:0 FS:action eval stops
received for 00:17:12
not installed in PBR
BGP flowspec entry: (flags 0x418)
Destination Address 0.0.0.0/0
Source Address 15.86.54.221/32
Source Port >= 49160 , <= 65535
FS:rate 0.000000
received for 00:41:05
not installed in PBR
vyos@vyos2acf:~$ sh version
Version: VyOS 1.4-rolling-202210200800
Release train: current
Built by: [email protected]
Built on: Thu 20 Oct 2022 08:00 UTC
Build UUID: 32212799-8fad-49e4-bf46-855968710e14
Build commit ID: 98450c47b40a2f
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: 88dab7d2-0b72-4254-9f06-d8f4070ef4be
Copyright: VyOS maintainers and contributors
There is a command to enable or something else we are missing? If you need more information, do not hesitate to ask it, I will provide you with configuration commands or whatever.
It is still a question of how to parse flowspec routes/updates
In my internal tests, I used ExaBGP for parsing flowspec updates and generating rules for VyOS
But I’m sure there is a best way. Needs to parse FRR
Where? Could you share a link with the documentation? I thought that flowspec was only supported in the control plane and that the vyos itself could not be influenced in the forwarding.
I’ve had a look around also and I can’t seem to find any mention of how this works and what the configuration options are in the docs.
I can see there’s an open issue for implementing flowspec support in VyOS but it is not marked as complete and also doesn’t have any further leads to how it works or in what version it may be implemented.
Could you provide a link to the relevant documentation and a reference as to what release version it is available from?
There is a container with flowspec handling of netfilter rules.
For now available only action “drop”.
Integration is available only for customers with subscriptions.
The version in mostly cases does not have matter (1.4-1.5).
