Skip to main content

Applying BGP flowspec rules on a specific interface set

Document Type Replaced Internet-Draft (idr WG)
Authors Stephane Litkowski , Adam Simpson , Keyur Patel , Jeffrey Haas
Last updated 2016-03-25 (Latest revision 2015-12-08)
Replaced by draft-ietf-idr-flowspec-interfaceset
Stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Expired & archived
Stream WG state Candidate for WG Adoption
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-idr-flowspec-interfaceset
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


BGP Flow-spec is an extension to BGP that allows for the dissemination of traffic flow specification rules. The primary application of this extension is DDoS mitigation where the flowspec rules are applied in most cases to all peering routers of the network. This document will present another use case of BGP Flow-spec where flow specifications are used to maintain some access control lists at network boundary. BGP Flowspec is a very efficient distributing machinery that can help in saving OPEX while deploying/updating ACLs. This new application requires flow specification rules to be applied only on a specific subset of interfaces and in a specific direction. The current specification of BGP Flow-spec does not detail where the flow specification rules need to be applied. This document presents a new interface-set flowspec action that will be used in complement of other actions (marking, rate-limiting ...). The purpose of this extension is to inform remote routers on where to apply the flow specification. This extension can also be used in a DDoS mitigation context where a provider wants to apply the filtering only on specific peers.


Stephane Litkowski
Adam Simpson
Keyur Patel
Jeffrey Haas

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)