Flowspec

BGP Flowspec is an extension to BGP, defined in RFC 5575. It adds new address-families to BGP: ipv4/ipv6 flowspec and vpnv4/vpnv6 flowspec. The purpose of this new address family is to share traffic flow specifications with all routers in your internal network.

Flowspec is a much more powerful and advanced version of RTBH. In the previous article, we accomplished source-based and destination-based RTBH by implementing a null0 static route on all routers, and pointing the traffic we want to drop to this null route.

With Flowspec we can accomplish the same thing but much more elegantly. With flowspec we don’t need to configure static routes and redistribute static routes into BGP. We define the flow we want to drop (i.e. source address = 1.1.1.1), disseminate that information via MP-BGP to all PE routers, and all PE routers will automatically perform the action.

In addition to matching on source/destionation IPv4 address, we can essentially match on anything we can match with a class-map. This incldues L4 ports, IP precendence, TCP flags, etc. In fact we can also rate-limit instead of drop traffic altogether. The BGP NLRI defines the matching criteria, and an extended community defines the action (drop, police, etc).

In a way, Flowspec allows you to use the flexibility of QoS tools and dissemintate the policy through BGP. All routers will automatically install the policy or “rules” learned through BGP into their own forwarding plane.

Lab

Let’s use the same topology as the last article (RTBH). First, remove all the static routes and static redistribution into BGP on P4.

In this lab, P4 will simply be the Flowspec “server” or distribution point. We’ll configure all policies on P4, but P4 will not have to act on the policies itself, since it is not on the internet edge.

On all PEs, configure flowspec to locally install policies learned via BGP on all interfaces. On P4, we’ll simply enable flowspec.

#PE1, PE2, PE3
flowspec
 local-install interface-all

#P4
flowspec

We’ll now enable the ipv4 flowspec BGP address-family so that all PE routers will learn policies defined on P4.

#PE1, PE2, PE3
router bgp 65000
 address-family ipv4 flowspec
  neighbor 10.4.4.4 activate

#P4
router bgp 65000
 address-family ipv4 flowspec
 neighbor-group IBGP
  address-family ipv4 flowspec
   route-reflector-client

All PEs should have a neighborship with P4 now for the flowspec address-family, but with no routes learned yet:

PE1#show bgp ipv4 flowspec sum
BGP router identifier 10.1.1.1, local AS number 65000
BGP table version is 3, main routing table version 3
1 networks peaked at 18:52:44 Aug 2 2022 UTC (00:15:32.492 ago)

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.4.4.4        4        65000      35      28        3    0    0 00:19:23        0

Let’s configure a simple policy on P4 to drop any traffic sourced from 100.1.1.2 (CE1)

#P4
class-map type traffic match-all DROP_CE1
 match source-address ipv4 100.1.1.2/32
end-class-map
!
policy-map type pbr DROP_CE1
 class DROP_CE1
  drop
 exit
end-policy-map
!
flowspec
 address-family ipv4
  service-policy type pbr DROP_CE1

This CLI syntax should look familiar, as it is practically the same as configuring QoS. Flowspec can only use a service-policy type of pbr, at least on XRv. We use the class-map to match the traffic we want to control, then use the policy map to define the action we take, which is drop. Finally we associate this policy-map with flowspec, and it is automatically signalled into BGP. Optionally you can use the local keyword on the service-policy to only install the policy locally and not redistribute it into BGP.

On PE1 you should see that the flowspec policy was automatically received and installed.

PE1#show flowspec ipv4 sum
VRF: default
  AFI: IPv4
    Total Flows:              1
    Total Service Policies:   0

PE1#show flowspec ipv4
AFI: IPv4
  Flow           :Source:100.1.1.2/32
    Actions      :Traffic-rate: 0 bps  (bgp.1)

Let’s try pinging CE3 from CE1.

CE1#ping 100.1.1.10 source gi1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.10, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.2 
.....
Success rate is 0 percent (0/5)


PE1#show flowspec ipv4 detail 
AFI: IPv4
  Flow           :Source:100.1.1.2/32
    Actions      :Traffic-rate: 0 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :                   5/570                
      Dropped             :                   5/570

PE1 shows us the number of packets and bytes that have matched this policy.

Isn’t this more straightforward than manually-configured RTBH? Flowspec allows us to essentially disseminate firewall policy and have routers automatically install the policy as soon as we commit. This makes Flowspec very powerful but perhaps a bit dangerous, as it was the source of a large CenturyLink outage back in 2020. (https://www.thousandeyes.com/blog/centurylink-level-3-outage-analysis)

Let’s view a pcap of the BGP NLRI that defines this policy:

Notice that flowspec has its own NLRI which defines filter information. Here we see that we are using a source prefix filter for 100.1.1.2/32. Also notice that the drop instruction is coded as a shaper rate of 0 Mbps. This is communicated using an extended community. By default, XR will send communities to iBGP neighbors, but if we were using IOS-XE to define the policy, we would have needed to specify send-community extended on the iBGP neighbor(s).

Let’s now rate-limit traffic sourced from 100.1.1.2/32 instead of dropping it completely.

policy-map type pbr DROP_CE1
 class type traffic DROP_CE1
   no drop
   police rate 5000 bps
  

PE1 immediately receives a new BGP update and installs the policy.

PE1#show flowspec ipv4 detail 
AFI: IPv4
  Flow           :Source:100.1.1.2/32
    Actions      :Traffic-rate: 5000 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :                   0/0                  
      Dropped             :                   0/0

When testing, the policing doesn’t appear to be applied. I believe this may be a limitation of the CSR1000v platform.

What if a traffic stream matches multiple policies? Let’s say policy 1 says to drop the traffic but policy 2 says to police it at 100meg. Which takes effect?

Let’s try it out by changing our 100.1.1.2/32 source police back to drop, and configuring an ICMP policy that polices at 1meg.

#P4
policy-map type pbr DROP_CE1
 class type traffic DROP_CE1 
  no police rate 5000 bps
  drop
!
class-map type traffic match-all ICMP_CMAP
 match protocol icmp
end-class-map
!
policy-map type pbr ICMP_PMAP
 class type traffic ICMP_CMAP
  police rate 1 mpbs
  exit
end-policy-map
!
flowspec
 address-family ipv4
  service-policy type pbr ICMP_PMAP

PE1 now has the two policies.

PE1#show flowspec ipv4 detail 
AFI: IPv4
  Flow           :Source:100.1.1.2/32
    Actions      :Traffic-rate: 0 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :                   0/0                  
      Dropped             :                   0/0                  
  Flow           :Proto:=1
    Actions      :Traffic-rate: 1000000 bps  (bgp.1)
    Statistics                        (packets/bytes)
      Matched             :                   0/0                  
      Dropped             :                   0/0

If we ping from CE1, the traffic is dropped. This is because the first match is the policy that takes effect. The drop policy is higher than the police policy.

CE1#ping 100.1.1.10 source gi1                      
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.10, timeout is 2 seconds:
Packet sent with a source address of 100.1.1.2 
.....
Success rate is 0 percent (0/5)

Match Criteria Options

While I would not suggest memorizing this, it may be good to be familiar with the match options.

• Destination Prefix

• Source Prefix

• IP Protocol

• Port

• Destination Port

• Source Port

• ICMP type

• ICMP code

• TCP flags

• Packet length

• DSCP value

• Fragment

Match Action Options

• Drop

• Police

• Redirect VRF

• Set DSCP

• Redirect IPv4 or IPv6 next-hop

Traffic Flow

Flowspec policies are only implemented on ingress traffic. This makes sense, as you want to take action against traffic as it enters your network from the internet edge. Once it passes through your network and is now egressing your PE, it is a little late to apply policy.

In comparison, source-based RTBH works on ingress traffic as well by using uRPF. Destination-based RTBH takes action against ingress traffic but by examining the destination address, as it does under normal IP routing.

Scale

Each router platform will have a different number of supported TCAM entries for flowspec. I’ve seen numbers around 1500 - 8000. This means you will likely not be able to have more than 8000 flowspec policy entries at a given time.

Conclusion

Flowspec is a very powerful tool which uses MP-BGP to dissemeniate information on traffic flow specifications. These dictate match criteria (i.e. source address=100.1.1.2/32) and an action (i.e. drop or police).

This is a much cleaner way of preforming RTBH compared to the previous article. Instead of static null0 routes and uRPF, we can simply use the QoS tools that we are familiar with and pair this with BGP to automatically install policy on all routers in our network.

Further Reading

RFC 5575 https://datatracker.ietf.org/doc/html/rfc5575

https://community.cisco.com/t5/service-providers-blogs/bgp-flowspec-implementation-on-cisco-8000-platforms/ba-p/4019762

https://www.youtube.com/watch?v=Pu9duyPjaxM&ab_channel=DecodingPackets

https://www.youtube.com/watch?v=TVIcvHS6hp4&ab_channel=DecodingPackets