[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

Internet Engineering Task Force                                 Ahmed Bashir
Internet-Draft                                          12 December 2016
Updates: 5575 (if approved)
Intended status: Standards Track
Expires: December 12, 2017

                         Inter-provider Propagation of BGP Flow specification Rules

This document describes a mechanism to propagate and handle flowspec messages beyond adjacent flowspec address family peers.
The message propagation and handling techniques described in this draft allows the actions to be taken in the nearst point to DDoS Attack origin.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1. Introduction

BGP Flowspec , (AFI,SAFI) pairs allocated by IANA  are (1, 133) for IPv4  and (1,134) for VPNv4.
Although, flowspec message handling depends on the semantics derived from the (AFI, SAFI) pair.
This limits it?s ?transitivity? to BGP peers within the same Subsequent Address Family, unlike unicast routing which is propagated all over the internet.
The original motivation of mitigating DDoS attacks is inturn limited to the hardware capabilities in which flowspec filtering actions is apllied in.

2. Proposed Flowspec message handling proccess.

Message Originator:
-       The initiating router sends flowspec message with the destination prefix embedded in the flow specification along with other parameters, (source prefix, and action)
-       The initiator should also add a special transitive extended community.

Intra-AS peers:
-       Intra-AS peers which are configured under flowspec address family be instructed by the special community to propagate the update as a BGP unicast update to ordinary BGPv4 adjacent peers

Intermediary/Terminal Routers:
-       Upon receiving the flowspec-BGP update message from a neighbor as unicast-BGP-update ,  the source  prefix embedded in the flowspec rule should be examined against the BGP table.
-       If the AS path that corresponds to the longest prefix match in the BGP table is not empty the update message should be further propagated.
-       If the AS path is empty the flowspec filtering action should be installed on that router.

The logical explanation is that BGP routes with an empty AS-Path are injected into BGP from within the local AS

In simple words, the flowspec rule will be propagated until it reaches to the nearest attack point and filtering actions will be installed there.

3. Operational Considerations

Apart from the obvious requirement that BGP implementations should be able to handle and propagate the proposed Flowspec message encodings.  From a design and implementation perspective.
When routers receive the proposed flowspec update messages they should not initiate any path recalculation based on the messages being received, in a large-scale attack, such behavior can lead to unpredictable instability.

4. Security Considerations

Citing RFC 5575  , ?A flow specification NLRI must be validated such that it is
considered feasible if and only if: a) The originator of the flow specification matches the originator of the best-match unicast route for the destination prefix embedded in the flow specification..?.
The precautionary procedure of accepting an incoming flowspec rule aims to verify that the origin of the flowspec route is an authorized source.
If not validated , an attacker can carry out a new DoS attack by advertising a flowspec route to filter traffic owned by any service provider to any destination.
In intra-provider flowspec deployments, there are efforts [2] to revise the validation procedures to allow a centralized Client-Server deployment models.
This allows a server populate and send flowspec routes even if it isn?t the best path for the unicast route advertised in the flowspec rule.
In our proposed model, which aims to disseminate flowspec rules across inter-provider it is crucial to have the precautionary validation procedures specified in RFC 5575.

5. IANA Considerations


5. Refernces

[RFC 7674] Clarification of the Flowspec Redirect Extended Community

[RFC5575]  Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
              and D. McPherson, "Dissemination of Flow Specification
              Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,

Expires: December 12, 2017

Author's Address

   Ahmed Bashir
   +971 50 1192280

   Email: amdbasheir@gmail.com

Html markup produced by rfcmarkup 1.126, available from https://tools.ietf.org/tools/rfcmarkup/