.. _bgp-user-guide-flowspec-family: Flow Specification Family ========================= The BGP Flow Specification (BGP-FS) Multiprotocol extension can be used to distribute traffic flow specifications. For example, the BGP-FS can be used in a case of (distributed) denial-of-service (DDoS) attack mitigation procedures and traffic filtering (BGP/MPLS VPN service, DC). .. contents:: Contents :depth: 2 :local: Configuration ^^^^^^^^^^^^^ This section shows a way to enable BGP-FS family in BGP speaker and peer configuration. BGP Speaker ''''''''''' To enable BGP-FS support in BGP plugin, first configure BGP speaker instance: **URL:** ``/rests/data/openconfig-network-instance:network-instances/network-instance=global-bgp/protocols`` **Method:** ``POST`` .. tabs:: .. tab:: XML **Content-Type:** ``application/xml`` **Request Body:** .. code-block:: xml bgp-example x:BGP 192.0.2.2 65000 IPV4-FLOW IPV6-FLOW IPV4-L3VPN-FLOW IPV6-L3VPN-FLOW .. tab:: JSON **Content-Type:** ``application/json`` **Request Body:** .. code-block:: json { "protocol": [ { "identifier": "openconfig-policy-types:BGP", "name": "bgp-example", "bgp-openconfig-extensions:bgp": { "global": { "config": { "router-id": "192.0.2.2", "as": 65000 }, "afi-safis": { "afi-safi": [ { "afi-safi-name": "IPV4-FLOW" }, { "afi-safi-name": "IPV6-FLOW" }, { "afi-safi-name": "IPV4-L3VPN-FLOW" }, { "afi-safi-name": "IPV6-L3VPN-FLOW" } ] } } } } ] } BGP Peer '''''''' Here is an example for BGP peer configuration with enabled BGP-FS family. **URL:** ``/rests/data/openconfig-network-instance:network-instances/network-instance=global-bgp/openconfig-network-instance:protocols/protocol=openconfig-policy-types:BGP,bgp-example/bgp/neighbors`` **Method:** ``POST`` .. tabs:: .. tab:: XML **Content-Type:** ``application/xml`` **Request Body:** .. code-block:: xml 192.0.2.1 IPV4-FLOW IPV6-FLOW IPV4-L3VPN-FLOW IPV6-L3VPN-FLOW .. tab:: JSON **Content-Type:** ``application/json`` **Request Body:** .. code-block:: json { "neighbor": [ { "neighbor-address": "192.0.2.1", "afi-safis": { "afi-safi": [ { "afi-safi-name": "IPV4-FLOW" }, { "afi-safi-name": "IPV6-FLOW" }, { "afi-safi-name": "IPV4-L3VPN-FLOW" }, { "afi-safi-name": "IPV6-L3VPN-FLOW" } ] } } ] } Flow Specification API ^^^^^^^^^^^^^^^^^^^^^^ Following trees illustrate the BGP Flow Specification routes structure. IPv4 Flow Specification Route ''''''''''''''''''''''''''''' .. code-block:: console :(flowspec-routes-case) +--ro flowspec-routes +--ro flowspec-route* [route-key path-id] +--ro route-key string +--ro flowspec* | +--ro (flowspec-type)? | +--:(port-case) | | +--ro ports* | | +--ro op? numeric-operand | | +--ro value? uint16 | +--:(destination-port-case) | | +--ro destination-ports* | | +--ro op? numeric-operand | | +--ro value? uint16 | +--:(source-port-case) | | +--ro source-ports* | | +--ro op? numeric-operand | | +--ro value? uint16 | +--:(icmp-type-case) | | +--ro types* | | +--ro op? numeric-operand | | +--ro value? uint8 | +--:(icmp-code-case) | | +--ro codes* | | +--ro op? numeric-operand | | +--ro value? uint8 | +--:(tcp-flags-case) | | +--ro tcp-flags* | | +--ro op? bitmask-operand | | +--ro value? uint16 | +--:(packet-length-case) | | +--ro packet-lengths* | | +--ro op? numeric-operand | | +--ro value? uint16 | +--:(dscp-case) | | +--ro dscps* | | +--ro op? numeric-operand | | +--ro value? dscp | +--:(fragment-case) | | +--ro fragments* | | +--ro op? bitmask-operand | | +--ro value? fragment | +--:(destination-prefix-case) | | +--ro destination-prefix? inet:ipv4-prefix | +--:(source-prefix-case) | | +--ro source-prefix? inet:ipv4-prefix | +--:(protocol-ip-case) | +--ro protocol-ips* | +--ro op? numeric-operand | +--ro value? uint8 +--ro path-id path-id +--ro attributes +--ro extended-communities* +--ro transitive? boolean +--ro (extended-community)? +--:(traffic-rate-extended-community-case) | +--ro traffic-rate-extended-community | +--ro informative-as? bgp-t:short-as-number | +--ro local-administrator? netc:bandwidth +--:(traffic-action-extended-community-case) | +--ro traffic-action-extended-community | +--ro sample? boolean | +--ro terminal-action? boolean +--:(redirect-extended-community-case) | +--ro redirect-extended-community | +--ro global-administrator? bgp-t:short-as-number | +--ro local-administrator? binary +--:(traffic-marking-extended-community-case) | +--ro traffic-marking-extended-community | +--ro global-administrator? dscp +--:(redirect-ipv4-extended-community-case) | +--ro redirect-ipv4 | +--ro global-administrator? inet:ipv4-address | +--ro local-administrator? uint16 +--:(redirect-as4-extended-community-case) | +--ro redirect-as4 | +--ro global-administrator? inet:as-number | +--ro local-administrator? uint16 +--:(redirect-ip-nh-extended-community-case) +--ro redirect-ip-nh-extended-community +--ro next-hop-address? inet:ip-address +--ro copy? boolean IPv6 Flow Specification Route ''''''''''''''''''''''''''''' .. code-block:: console :(flowspec-ipv6-routes-case) +--ro flowspec-ipv6-routes +--ro flowspec-route* [route-key path-id] +--ro flowspec* | +--ro (flowspec-type)? | +--:(port-case) | | +--ro ports* | | +--ro op? numeric-operand | | +--ro value? uint16 | +--:(destination-port-case) | | +--ro destination-ports* | | +--ro op? numeric-operand | | +--ro value? uint16 | +--:(source-port-case) | | +--ro source-ports* | | +--ro op? numeric-operand | | +--ro value? uint16 | +--:(icmp-type-case) | | +--ro types* | | +--ro op? numeric-operand | | +--ro value? uint8 | +--:(icmp-code-case) | | +--ro codes* | | +--ro op? numeric-operand | | +--ro value? uint8 | +--:(tcp-flags-case) | | +--ro tcp-flags* | | +--ro op? bitmask-operand | | +--ro value? uint16 | +--:(packet-length-case) | | +--ro packet-lengths* | | +--ro op? numeric-operand | | +--ro value? uint16 | +--:(dscp-case) | | +--ro dscps* | | +--ro op? numeric-operand | | +--ro value? dscp | +--:(fragment-case) | | +--ro fragments* | | +--ro op? bitmask-operand | | +--ro value? fragment | +--:(destination-ipv6-prefix-case) | | +--ro destination-prefix? inet:ipv6-prefix | +--:(source-ipv6-prefix-case) | | +--ro source-prefix? inet:ipv6-prefix | +--:(next-header-case) | | +--ro next-headers* | | +--ro op? numeric-operand | | +--ro value? uint8 | +--:(flow-label-case) | +--ro flow-label* | +--ro op? numeric-operand | +--ro value? uint32 +--ro path-id path-id +--ro attributes +--ro extended-communities* +--ro transitive? boolean +--ro (extended-community)? +--:(traffic-rate-extended-community-case) | +--ro traffic-rate-extended-community | +--ro informative-as? bgp-t:short-as-number | +--ro local-administrator? netc:bandwidth +--:(traffic-action-extended-community-case) | +--ro traffic-action-extended-community | +--ro sample? boolean | +--ro terminal-action? boolean +--:(redirect-extended-community-case) | +--ro redirect-extended-community | +--ro global-administrator? bgp-t:short-as-number | +--ro local-administrator? binary +--:(traffic-marking-extended-community-case) | +--ro traffic-marking-extended-community | +--ro global-administrator? dscp +--:(redirect-ipv6-extended-community-case) | +--ro redirect-ipv6 | +--ro global-administrator? inet:ipv6-address | +--ro local-administrator? uint16 +--:(redirect-as4-extended-community-case) | +--ro redirect-as4 | +--ro global-administrator? inet:as-number | +--ro local-administrator? uint16 +--:(redirect-ip-nh-extended-community-case) +--ro redirect-ip-nh-extended-community +--ro next-hop-address? inet:ip-address +--ro copy? boolean Usage ^^^^^ The flowspec route represents rules and an action, defined as an extended community. IPv4 Flow Specification ''''''''''''''''''''''' The IPv4 Flowspec table in an instance of the speaker's Loc-RIB can be verified via REST: **URL:** ``/rests/data/bgp-rib:bgp-rib/rib/bgp-example/loc-rib/tables=bgp-types:ipv4-address-family,bgp-flowspec:flowspec-subsequent-address-family/bgp-flowspec:flowspec-routes?content=nonconfig`` **Method:** ``GET`` .. tabs:: .. tab:: XML **Response Body:** .. code-block:: xml 0 all packets to 192.168.0.1/32 AND from 10.0.0.2/32 AND where IP protocol equals to 17 or equals to 6 AND where port equals to 80 or equals to 8080 AND where destination port is greater than 8080 and is less than 8088 or equals to 3128 AND where source port is greater than 1024 100 igp true AgMWLg== 258 192.168.0.1/32 10.0.0.2/32 equals 17 equals end-of-list 6 equals 80 equals end-of-list 8080 greater-than 8080 less-than and-bit 8088 equals end-of-list 3128 end-of-list greater-than 1024 .. tab:: JSON **Response Body:** .. code-block:: json { "flowspec-routes": { "flowspec-route": { "path-id": 0, "route-key": "all packets to 192.168.0.1/32 AND from 10.0.0.2/32 AND where IP protocol equals to 17 or equals to 6 AND where port equals to 80 or equals to 8080 AND where destination port is greater than 8080 and is less than 8088 or equals to 3128 AND where source port is greater than 1024", "attributes": { "local-pref": { "pref": 100 }, "origin": { "value": "igp" }, "extended-communities": { "transitive": "true", "redirect-extended-community": { "local-administrator": "AgMWLg==", "global-administrator": 258 } } }, "flowspec": [ { "destination-prefix": "192.168.0.1/32" }, { "source-prefix": "10.0.0.2/32" }, { "protocol-ips": [ { "op": "equals", "value": 17 }, { "op": "equals end-of-list", "value": 6 } ] }, { "ports": [ { "op": "equals", "value": 80 }, { "op": "equals end-of-list", "value": 8080 } ] }, { "destination-ports": [ { "op": "greater-than", "value": 8080 }, { "op": "less-than and-bit", "value": 8088 }, { "op": "equals end-of-list", "value": 3128 } ] }, { "source-ports": { "op": "end-of-list greater-than", "value": 1024 } } ] } } } IPv6 Flows Specification '''''''''''''''''''''''' The IPv6 Flowspec table in an instance of the speaker's Loc-RIB can be verified via REST: **URL:** ``/rests/data/bgp-rib:bgp-rib/rib/bgp-example/loc-rib/tables=bgp-types:ipv6-address-family,bgp-flowspec:flowspec-subsequent-address-family/bgp-flowspec:flowspec-ipv6-routes?content=nonconfig`` **Method:** ``GET`` .. tabs:: .. tab:: XML **Response Body:** .. code-block:: xml 0 all packets to 2001:db8:31::/64 AND from 2001:db8:30::/64 AND where next header equals to 17 AND where DSCP equals to 50 AND where flow label equals to 2013 100 igp true 0 AAAAAA== 2001:db8:31::/64 2001:db8:30::/64 equals end-of-list 17 equals end-of-list 50 equals end-of-list 2013 .. tab:: JSON **Response Body:** .. code-block:: json { "flowspec-ipv6-routes": { "flowspec-route": { "path-id": 0, "route-key": "all packets to 2001:db8:31::/64 AND from 2001:db8:30::/64 AND where next header equals to 17 AND where DSCP equals to 50 AND where flow label equals to 2013", "attributes": { "local-pref": { "pref": 100 }, "origin": { "value": "igp" }, "extended-communities": { "transitive": true, "traffic-rate-extended-community": { "informative-as": 0, "local-administrator": "AAAAAA==" } } }, "flowspec": [ { "destination-prefix": "2001:db8:31::/64" }, { "source-prefix": "2001:db8:30::/64" }, { "next-headers": { "op": "equals end-of-list", "value": 17 } }, { "dscps": { "op": "equals end-of-list", "value": 50 } }, { "flow-label": { "op": "equals end-of-list", "value": 2013 } } ] } } } IPv4 L3VPN Flows Specification '''''''''''''''''''''''''''''' The IPv4 L3VPN Flowspec table in an instance of the speaker's Loc-RIB can be verified via REST: **URL:** ``/rests/data/bgp-rib:bgp-rib/rib/bgp-example/loc-rib/tables=bgp-types:ipv4-address-family,bgp-flowspec:flowspec-l3vpn-subsequent-address-family/bgp-flowspec:flowspec-l3vpn-ipv4-routes?content=nonconfig`` **Method:** ``GET`` .. tabs:: .. tab:: XML **Response Body:** .. code-block:: xml 0 [l3vpn with route-distinguisher 172.16.0.44:101] all packets from 10.0.0.3/32 100 5.6.7.8 igp true false 0.0.0.0 172.16.0.44:101 10.0.0.3/32 .. tab:: JSON **Response Body:** .. code-block:: json { "flowspec-l3vpn-ipv4-routes": { "flowspec-l3vpn-route": { "path-id": 0, "route-key": "[l3vpn with route-distinguisher 172.16.0.44:101] all packets from 10.0.0.3/32", "attributes": { "local-pref": { "pref": 100 }, "ipv4-next-hop": { "global":"5.6.7.8" }, "origin": { "value": "igp" }, "extended-communities": { "transitive": true, "redirect-ip-nh-extended-community": { "copy": false, "next-hop-address": "0.0.0.0" } } }, "route-distinguisher": "172.16.0.44:101", "flowspec": { "source-prefix": "10.0.0.3/32" } } } } Programming ^^^^^^^^^^^ IPv4 Flow Specification ''''''''''''''''''''''' This examples show how to originate and remove IPv4 fowspec route via programmable RIB. Make sure the *Application Peer* is configured first. **URL:** ``/rests/data/bgp-rib:application-rib/10.25.1.9/tables=bgp-types:ipv4-address-family,bgp-flowspec:flowspec-subsequent-address-family/bgp-flowspec:flowspec-routes`` **Method:** ``POST`` .. tabs:: .. tab:: XML **Content-Type:** ``application/xml`` **Request Body:** .. code-block:: xml flow1 0 192.168.0.1/32 10.0.0.1/32 equals end-of-list 6 equals end-of-list 80 greater-than 8080 and-bit less-than end-of-list 8088 greater-than end-of-list 1024 equals end-of-list 0 equals end-of-list 0 match end-of-list 32 greater-than 400 and-bit less-than end-of-list 500 equals end-of-list 20 match end-of-list first igp 100 .... .. tab:: JSON **Content-Type:** ``application/json`` **Request Body:** .. code-block:: json { "flowspec-route": [ { "route-key": "flow1", "path-id": 0, "flowspec": [ { "destination-prefix": "192.168.0.1/32" }, { "source-prefix": "10.0.0.1/32" }, { "protocol-ips": [ { "op": "end-of-list equals", "value": 6 } ] }, { "ports": [ { "op": "end-of-list equals", "value": 80 } ] }, { "destination-ports": [ { "op": "greater-than", "value": 8080 }, { "op": "end-of-list and-bit less-than", "value": 8088 } ] }, { "source-ports": [ { "op": "end-of-list greater-than", "value": 1024 } ] }, { "types": [ { "op": "end-of-list equals", "value": 0 } ] }, { "codes": [ { "op": "end-of-list equals", "value": 0 } ] }, { "tcp-flags": [ { "op": "end-of-list match", "value": 32 } ] }, { "packet-lengths": [ { "op": "greater-than", "value": 400 }, { "op": "end-of-list and-bit less-than", "value": 500 } ] }, { "dscps": [ { "op": "end-of-list equals", "value": 20 } ] }, { "fragments": [ { "op": "end-of-list match", "value": "first" } ] } ], "attributes": { "origin": { "value": "igp" }, "local-pref": { "pref": 100 } } } ] } ----- **Extended Communities** * **Traffic Rate** .. tabs:: .. tab:: XML .. code-block:: xml :linenos: :emphasize-lines: 5 true 123 AAAAAA== @line 5: A rate in bytes per second, *AAAAAA==* (0) means traffic discard. .. tab:: JSON .. code-block:: json :linenos: :emphasize-lines: 6 { "extended-communities" : { "transitive": true, "traffic-rate-extended-community": { "informative-as": 123, "local-administrator": "AAAAAA==" } } } @line 6: A rate in bytes per second, *AAAAAA==* (0) means traffic discard. * **Traffic Action** .. tabs:: .. tab:: XML .. code-block:: xml true true false .. tab:: JSON .. code-block:: json { "extended-communities" : { "transitive": true, "traffic-action-extended-community": { "sample": true, "terminal-action": false } } } * **Redirect to VRF AS 2byte format** .. tabs:: .. tab:: XML .. code-block:: xml true 123 AAAAew== .. tab:: JSON .. code-block:: json { "extended-communities" : { "transitive": true, "redirect-extended-community": { "global-administrator": 123, "local-administrator": "AAAAew==" } } } * **Redirect to VRF IPv4 format** .. tabs:: .. tab:: XML .. code-block:: xml true 192.168.0.1 12345 .. tab:: JSON .. code-block:: json { "extended-communities" : { "transitive": true, "redirect-ipv4": { "global-administrator": "192.168.0.1", "local-administrator": 12345 } } } * **Redirect to VRF AS 4byte format** .. tabs:: .. tab:: XML .. code-block:: xml true 64495 12345 .. tab:: JSON .. code-block:: json { "extended-communities" : { "transitive": true, "redirect-as4": { "global-administrator": 64495, "local-administrator": 12345 } } } * **Redirect to IP** .. tabs:: .. tab:: XML .. code-block:: xml true false .. tab:: JSON .. code-block:: json { "extended-communities" : { "transitive": true, "redirect-ip-nh-extended-community": { "copy": false } } } * **Traffic Marking** .. tabs:: .. tab:: XML .. code-block:: xml true 20 .. tab:: JSON .. code-block:: json { "extended-communities" : { "transitive": true, "traffic-marking-extended-community": { "global-administrator": 20 } } } ----- To remove the route added above, following request can be used: **URL:** ``/rests/data/bgp-rib:application-rib/10.25.1.9/tables=bgp-types:ipv4-address-family,bgp-flowspec:flowspec-subsequent-address-family/bgp-flowspec:flowspec-routes/bgp-flowspec:flowspec-route/flow1/0`` **Method:** ``DELETE`` IPv4 L3VPN Flow Specification ''''''''''''''''''''''''''''' This examples show how to originate and remove IPv4 L3VPN fowspec route via programmable RIB. **URL:** ``/rests/data/bgp-rib:application-rib/10.25.1.9/tables=bgp-types:ipv4-address-family,bgp-flowspec:flowspec-l3vpn-subsequent-address-family/bgp-flowspec:flowspec-l3vpn-ipv4-routes`` **Method:** ``POST`` .. tabs:: .. tab:: XML **Content-Type:** ``application/xml`` **Request Body:** .. code-block:: xml 0 flow-l3vpn 172.16.0.44:101 10.0.0.3/32 100 igp true 172.16.0.44 102 .. tab:: JSON **Content-Type:** ``application/json`` **Request Body:** .. code-block:: json { "flowspec-l3vpn-route": [ { "route-key": "flow-l3vpn", "path-id": 0, "route-distinguisher": "172.16.0.44:101", "flowspec": [ { "source-prefix": "10.0.0.3/32" } ], "attributes": { "origin": { "value": "igp" }, "extended-communities": [ { "redirect-ipv4": { "global-administrator": "172.16.0.44", "local-administrator": 102 }, "transitive": true } ], "local-pref": { "pref": 100 } } } ] } ----- To remove the route added above, following request can be used: **URL:** ``/rests/data/bgp-rib:application-rib/10.25.1.9/tables=bgp-types:ipv4-address-family,bgp-flowspec:flowspec-l3vpn-subsequent-address-family/bgp-flowspec:flowspec-l3vpn-ipv4-routes/flowspec-l3vpn-route/flow-l3vpn/0`` **Method:** ``DELETE`` IPv6 Flow Specification ''''''''''''''''''''''' This examples show how to originate and remove IPv6 fowspec route via programmable RIB. **URL:** ``/rests/data/bgp-rib:application-rib/10.25.1.9/tables=bgp-types:ipv6-address-family,bgp-flowspec:flowspec-subsequent-address-family/bgp-flowspec:flowspec-ipv6-routes`` **Method:** ``POST`` .. tabs:: .. tab:: XML **Content-Type:** ``application/xml`` **Request Body:** .. code-block:: xml flow-v6 0 2001:db8:30::3/128 2001:db8:31::3/128 equals end-of-list 1 true 2001:db8:1::6 12345 igp 100 .. tab:: JSON **Content-Type:** ``application/json`` **Request Body:** .. code-block:: json { "flowspec-route": [ { "route-key": "flow-v6", "path-id": 0, "flowspec": [ { "destination-prefix": "2001:db8:30::3/128" }, { "source-prefix": "2001:db8:31::3/128" }, { "flow-label": [ { "op": "end-of-list equals", "value": 1 } ] } ], "attributes": { "origin": { "value": "igp" }, "extended-communities": [ { "redirect-ipv6": { "global-administrator": "2001:db8:1::6", "local-administrator": 12345 }, "transitive": true } ], "local-pref": { "pref": 100 } } } ] } ----- To remove the route added above, following request can be used: **URL:** ``/rests/data/bgp-rib:application-rib/10.25.1.9/tables=bgp-types:ipv6-address-family,bgp-flowspec:flowspec-subsequent-address-family/bgp-flowspec:flowspec-ipv6-routes/bgp-flowspec:flowspec-route/flow-v6/0`` **Method:** ``DELETE`` References ^^^^^^^^^^ * `Dissemination of Flow Specification Rules `_ * `Dissemination of Flow Specification Rules for IPv6 `_ * `BGP Flow-Spec Extended Community for Traffic Redirect to IP Next Hop `_ * `Clarification of the Flowspec Redirect Extended Community `_ * `Revised Validation Procedure for BGP Flow Specifications `_