Internet DRAFT - draft-bashir-idr-inter-provider-flowspec-actions
draft-bashir-idr-inter-provider-flowspec-actions
Internet Engineering Task Force Ahmed Bashir
Internet-Draft 12 December 2016
Updates: 5575 (if approved)
Intended status: Standards Track
Expires: December 12, 2017
Inter-provider Propagation of BGP Flow specification Rules
draft-bashir-idr-inter-provider-flowspec-actions-00
Abstract
This document describes a mechanism to propagate and handle flowspec messages beyond adjacent flowspec address family peers.
The message propagation and handling techniques described in this draft allows the actions to be taken in the nearst point to DDoS Attack origin.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
1. Introduction
BGP Flowspec , (AFI,SAFI) pairs allocated by IANA are (1, 133) for IPv4 and (1,134) for VPNv4.
Although, flowspec message handling depends on the semantics derived from the (AFI, SAFI) pair.
This limits it?s ?transitivity? to BGP peers within the same Subsequent Address Family, unlike unicast routing which is propagated all over the internet.
The original motivation of mitigating DDoS attacks is inturn limited to the hardware capabilities in which flowspec filtering actions is apllied in.
2. Proposed Flowspec message handling proccess.
Message Originator:
- The initiating router sends flowspec message with the destination prefix embedded in the flow specification along with other parameters, (source prefix, and action)
- The initiator should also add a special transitive extended community.
Intra-AS peers:
- Intra-AS peers which are configured under flowspec address family be instructed by the special community to propagate the update as a BGP unicast update to ordinary BGPv4 adjacent peers
Intermediary/Terminal Routers:
- Upon receiving the flowspec-BGP update message from a neighbor as unicast-BGP-update , the source prefix embedded in the flowspec rule should be examined against the BGP table.
- If the AS path that corresponds to the longest prefix match in the BGP table is not empty the update message should be further propagated.
- If the AS path is empty the flowspec filtering action should be installed on that router.
The logical explanation is that BGP routes with an empty AS-Path are injected into BGP from within the local AS
In simple words, the flowspec rule will be propagated until it reaches to the nearest attack point and filtering actions will be installed there.
3. Operational Considerations
Apart from the obvious requirement that BGP implementations should be able to handle and propagate the proposed Flowspec message encodings. From a design and implementation perspective.
When routers receive the proposed flowspec update messages they should not initiate any path recalculation based on the messages being received, in a large-scale attack, such behavior can lead to unpredictable instability.
4. Security Considerations
Citing RFC 5575 , ?A flow specification NLRI must be validated such that it is
considered feasible if and only if: a) The originator of the flow specification matches the originator of the best-match unicast route for the destination prefix embedded in the flow specification..?.
The precautionary procedure of accepting an incoming flowspec rule aims to verify that the origin of the flowspec route is an authorized source.
If not validated , an attacker can carry out a new DoS attack by advertising a flowspec route to filter traffic owned by any service provider to any destination.
In intra-provider flowspec deployments, there are efforts [2] to revise the validation procedures to allow a centralized Client-Server deployment models.
This allows a server populate and send flowspec routes even if it isn?t the best path for the unicast route advertised in the flowspec rule.
In our proposed model, which aims to disseminate flowspec rules across inter-provider it is crucial to have the precautionary validation procedures specified in RFC 5575.
5. IANA Considerations
TBD
5. Refernces
[RFC 7674] Clarification of the Flowspec Redirect Extended Community
[RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
and D. McPherson, "Dissemination of Flow Specification
Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
Expires: December 12, 2017
Author's Address
Ahmed Bashir
+971 50 1192280
Dubai
UAE
Email: amdbasheir@gmail.com