FlowSpec is a standardized method for using BGP to distribute traffic flow specifications (flow routes) throughout a network. A flow route carries a description of a flow in terms of packet header fields such as source IP address, destination IP address, or TCP/UDP port number and indicates (through a community attribute) an action to take on packets matching the flow. The primary application for FlowSpec is DDoS mitigation.
FlowSpec is supported for both IPv4 and IPv6. To exchange IPv4 FlowSpec routes with a BGP peer the flow-ipv4 keyword must be part of the family command that applies to the session and to exchange IPv6 FlowSpec routes with a BGP peer flow-ipv6 must be present in the family configuration.
The NLRI of an IPv4 flow route can contain one or more of the subcomponents shown in Table: Subcomponents of IPv4 flow route NLRI.
| Subcomponent name [type] | Value encoding | SR OS support |
|---|---|---|
Destination IPv4 Prefix [1] |
Prefix length, prefix |
Yes |
Source IPv4 Prefix [2] |
Prefix length, prefix |
Yes |
IP Protocol [3] |
One or more (operator, value) pairs |
Partial. No support for multiple values other than ‟TCP or UDP”. |
Port [4]1 |
One or more (operator, value) pairs |
Yes |
Destination Port [5] |
One or more (operator, value) pairs |
Yes |
Source Port [6] |
One or more (operator, value) pairs |
Yes |
ICMP Type [7] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
ICMP Code [8] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
TCP Flags [9] 2
|
One or more (operator, bitmask) pairs |
Yes |
Packet Length [10] |
One or more (operator, value) pairs |
Yes |
DSCP [11] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
Fragment [12] |
One or more (operator, bitmask) pairs |
Partial. No support for matching DF bit, first-fragment or last-fragment. |
The NLRI of an IPv6 flow route can contain one or more of the subcomponents shown in Table: Subcomponents of IPv6 flow route NLRI.
| Subcomponent name [type] | Value encoding | SR OS support |
|---|---|---|
Destination IPv6 Prefix [1] |
Prefix length, prefix offset, prefix |
Partial. No support for prefix offset. |
Source IPv6 Prefix [2] |
Prefix length, prefix offset, prefix |
Partial. No support for prefix offset. |
Next Header [3] |
One or more (operator, value) pairs |
Partial. Only a single value supported. |
Port [4]1 |
One or more (operator, value) pairs |
Yes |
Destination Port [5] |
One or more (operator, value) pairs |
Yes |
Source Port [6] |
One or more (operator, value) pairs |
Yes |
ICMP Type [7] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
ICMP Code [8] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
TCP Flags [9] |
One or more (operator, bitmask) pairs |
Partial. Only SYN and ACK flags can be matched. |
Packet Length [10] |
One or more (operator, value) pairs |
Yes |
Traffic Class [11] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
Fragment [11] |
One or more (operator, bitmask) pairs |
Partial. No support for matching Last Fragment. |
Flow Label [13] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
Table: IPv4 FlowSpec actions summarizes the actions that may be associated with IPv4 flow-spec routes. Table: IPv6 FlowSpec actions summarizes the actions that may be associated with IPv6 flow-spec routes.
| Action | Encoding | SR OS support |
|---|---|---|
rate limit |
Extended community type 0x8006 |
Yes |
sample/log |
Extended community type 0x8007 S-bit |
Yes |
next entry |
Extended community type 0x8007 T-bit |
— |
Redirect to VRF |
Extended community type 0x8008 |
Yes |
Mark traffic class |
Extended community type 0x8009 |
Yes |
Redirect to IPv4 |
Extended community type 0x010c |
Yes |
Redirect to IPv6 |
Extended community type 0x000c |
— |
Redirect to LSP |
Extended community type 0x0900 |
Partial, only support for ID-type 0x00 (localized ID) |
| Action | Encoding | SR OS support |
|---|---|---|
rate limit |
Extended community type 0x8006 |
Yes |
sample/log |
Extended community type 0x8007 S-bit |
Yes |
next entry |
Extended community type 0x8007 T-bit |
— |
Redirect to VRF |
Extended community type 0x8008 |
Yes |
Mark traffic class |
Extended community type 0x8009 |
Yes |
Redirect to IPv4 |
Extended community type 0x010c |
— |
Redirect to IPv6 |
Extended community type 0x000c |
Yes |
Redirect to LSP |
Extended community type 0x0900 |
Partial, only support for ID-type 0x00 (localized ID) |
FP4-based platforms support multiple (operator, bitmask) pairs, provided a single TCP flag bit is matched in each bitmask pair and the match bit is set to 0, resulting in an AND operation between the TCP flags.
Multiple TCP flags can be set in the same (operator, bitmask) pair, provided there is a single pair in the NLRI component with match bit is set to 1 and not bit set to 0.