Inter-provider Propagation of BGP Flow specification Rules

Document Type Active Internet-Draft (individual)
Last updated 2016-12-13
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Engineering Task Force                                 Ahmed Bashir       
Internet-Draft                                          12 December 2016
Updates: 5575 (if approved)                                    
Intended status: Standards Track 
Expires: December 12, 2017 
                         Inter-provider Propagation of BGP Flow specification Rules

This document describes a mechanism to propagate and handle flowspec messages beyond adjacent flowspec address family peers.
The message propagation and handling techniques described in this draft allows the actions to be taken in the nearst point to DDoS Attack origin.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."
Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.
1. Introduction
BGP Flowspec , (AFI,SAFI) pairs allocated by IANA  are (1, 133) for IPv4  and (1,134) for VPNv4.
Although, flowspec message handling depends on the semantics derived from the (AFI, SAFI) pair.
This limits it?s ?transitivity? to BGP peers within the same Subsequent Address Family, unlike unicast routing which is propagated all over the internet.
The original motivation of mitigating DDoS attacks is inturn limited to the hardware capabilities in which flowspec filtering actions is apllied in.

2. Proposed Flowspec message handling proccess. 

Message Originator:
-       The initiating router sends flowspec message with the destination prefix embedded in the flow specification along with other parameters, (source prefix, and action)
-       The initiator should also add a special transitive extended community. 

Intra-AS peers:
-       Intra-AS peers which are configured under flowspec address family be instructed by the special community to propagate the update as a BGP unicast update to ordinary BGPv4 adjacent peers

Intermediary/Terminal Routers:
-       Upon receiving the flowspec-BGP update message from a neighbor as unicast-BGP-update ,  the source  prefix embedded in the flowspec rule should be examined against the BGP table.
-       If the AS path that corresponds to the longest prefix match in the BGP table is not empty the update message should be further propagated.
-       If the AS path is empty the flowspec filtering action should be installed on that router.

The logical explanation is that BGP routes with an empty AS-Path are injected into BGP from within the local AS

In simple words, the flowspec rule will be propagated until it reaches to the nearest attack point and filtering actions will be installed there.

3. Operational Considerations

Apart from the obvious requirement that BGP implementations should be able to handle and propagate the proposed Flowspec message encodings.  From a design and implementation perspective. 
When routers receive the proposed flowspec update messages they should not initiate any path recalculation based on the messages being received, in a large-scale attack, such behavior can lead to unpredictable instability.

4. Security Considerations

Citing RFC 5575  , ?A flow specification NLRI must be validated such that it is
considered feasible if and only if: a) The originator of the flow specification matches the originator of the best-match unicast route for the destination prefix embedded in the flow specification..?.
The precautionary procedure of accepting an incoming flowspec rule aims to verify that the origin of the flowspec route is an authorized source. 
If not validated , an attacker can carry out a new DoS attack by advertising a flowspec route to filter traffic owned by any service provider to any destination.
Show full document text