BGP FlowSpec Overview
BGP FlowSpec is an extension of the BGP protocol that allows for the dynamic propagation of more specific information than the traffic aggregate defined by an IP Prefix. This enables network administrators to control data traffic flow at any point in their network infrastructure. BGP FlowSpec can be used for various purposes, such as managing congestion or mitigating distributed denial-of-service (DDoS) attacks. Expanding routing information with FlowSpec allows the routing system to use the ACL (Access Control List) or firewall capabilities in the router’s forwarding path.
The figure below shows a traffic scrubbing station capable of generating the FlowSpec rule in the event of a DDoS attack and sending the BGP FlowSpec update to the neighbouring devices. The device that can interpret this update can drop the DDoS traffic as it arrives.
FlowSpec helps to establish matching criteria for IP traffic packets encoded into BGP Network Layer Reachability Information (NLRI). The requirements can include various attributes and may or may not involve reachability information. Routers can use FlowSpec to forward, shape, classify, rate limit, filter, or redirect packets based on specific policies, allowing for rules that operate on multiple fields of the packet header.
The figure below shows the high-level flow of BGP FlowSpec design.
FlowSpec involves actively processing and inserting dynamic ACLs in an operational environment. When a router receives a FlowSpec update, it can dynamically create IP filters to mitigate intra-AS and inter-AS DDoS attacks and other unwanted traffic patterns. Mitigation is implemented by dropping or rate-limiting the traffic at the network’s ingress point (or the nearest possible point toward the source of the DDoS attack).
Supported BGP Standards
| RFC Number | Description |
|---|---|
RFC 8955 |
Dissemination of Flow Specification Rules for IPv4 |
RFC 8956 |
Dissemination of Flow Specification Rules for IPv6 |
| RFC and draft compliance are partial except as specified. |
Supported Platforms
Not all features are necessarily supported on each hardware platform. Refer to the Platform Guide for the features and the sub-features that are or are not supported by each platform.
Supported Matching Criteria and Actions
The tables below outline the FlowSpec supported matching criteria and actions.
| BGP FlowSpec NLRI Type | Match Criteria & Description | Option | Supported (Yes/No) | |
|---|---|---|---|---|
Type 1 |
Destination-Prefix (ipv4/ipv6) |
Defines the destination prefix to match |
specific host |
Yes |
IP range |
Yes |
|||
Type 2 |
Source-Prefix (ipv4/ipv6) |
Defines the source prefix to match. |
specific host |
Yes |
IP range |
Yes |
|||
Type 3 |
IP-Protocol |
Contains a set of {operator, value} pairs that match the IP protocol value byte in IP packets. |
specific value |
Yes |
multi-value range |
No |
|||
Type 4 |
Port (src or dst) |
Defines a list of {operator, value} pairs that match source or destination ports. |
specific value |
No |
multi-value range |
No |
|||
Type 5 |
Destination port |
Defines a list of {operator, value} pairs used to match the destination port of a TCP or UDP packet. |
specific value |
Yes |
multi-value range |
No |
|||
Type 6 |
Source port |
Defines a list of {operator, value} pairs used to match the source port of a TCP or UDP packet. |
specific value |
Yes |
multi-value range |
No |
|||
Type 7 |
ICMP type |
Defines a list of {operator, value} pairs used to match the type field of an ICMP packet |
specific value |
No |
multi-value range |
No |
|||
Type 8 |
ICMP code |
Defines a list of {operator, value} pairs used to match the code field of an ICMP packet. |
specific value |
No |
multi-value range |
No |
|||
Type 9 |
TCP flag |
IPv4 or IPv6 TCP flags(2 bytes include reserved bits) |
specific value |
No |
multi-value range |
No |
|||
Type 10 |
Packet length |
Match on the total IP packet length |
specific value |
No |
multi-value range |
No |
|||
Type 11 |
DSCP |
Defines a list of {operator, value} pairs that use a Multi-value range to match the 6-bit DSCP field. |
specific value |
No |
multi-value range |
No |
|||
Type 12 |
Fragment |
Identifies a fragment-type as the match Bit mask criterion for a class map. |
specific value |
No |
multi-value range |
No |
|||
| The maximum number of matches supported in a single FlowSpec rule is 8. |
| Action Criteria & Description | Option | Supported (Yes/No) | ||
|---|---|---|---|---|
1 |
traffic-rate-bytes |
Traffic-rate limits specified in bytes per second |
0 (drop) |
Yes |
>0 |
Yes |
|||
2 |
traffic-rate-packets |
Traffic-rate limits specified in packets per second |
0 (drop) |
Yes |
>0 |
No |
|||
3 |
traffic-action |
Action that is performed on the traffic that matches FlowSpec rule |
Terminal |
No |
Sampling |
No |
|||
4 |
rt-redirect |
Redirects the traffic to a specific VRF instance or to a next-hop |
to vrf |
No |
to nexthop |
No |
|||