FlowSpec is a standardized method for using BGP to distribute traffic flow specifications (flow routes) throughout a network. A flow route carries a description of a flow in terms of packet header fields such as source IP address, destination IP address, or TCP/UDP port number and indicates (through a community attribute) an action to take on packets matching the flow. The primary application for FlowSpec is DDoS mitigation.
FlowSpec is supported for both IPv4 and IPv6. To exchange non-VPN-aware IPv4 FlowSpec routes with a BGP peer, flow-ipv4 must be enabled in the family configuration that applies to the session. To exchange non-VPN-aware IPv6 FlowSpec routes with a BGP peer, flow-ipv6 must be enabled in the relevant family configuration. The IP filter entries created from non-VPN-aware FlowSpec routes can only be used on the IP interfaces of the base or VPRN router instance that received the FlowSpec routes.
SR OS BGP also supports VPN-aware FlowSpec routes. These SAFI 134 routes carry Route Distinguisher (RD) and RT Extended Communities. To exchange VPN-aware IPv4 FlowSpec routes with an IBGP peer of the base router, flow-vpn-ipv4 must be enabled in the family configuration that applies to the session. To exchange VPN-aware IPv6 FlowSpec routes with an IBGP peer of the base router, flow-vpn-ipv6 must be enabled in the relevant family configuration. IP filter entries are created from a VPN-aware FlowSpec route when the route is imported into a locally configured VPRN. This is done by appropriately configuring a VRF import or VRF target policy for the VPRN. There must also be an IP filter policy applied to the IP interfaces of the VPRN that embeds FlowSpec routes.
The NLRI of a FlowSpec IPv4 or FlowSpec-VPN IPv4 route can contain one or more of the subcomponents shown in Table: Subcomponents of FlowSpec IPv4 and FlowSpec-VPN IPv4 NLRI.
| Subcomponent name [type] | Value encoding | SR OS support |
|---|---|---|
|
Destination IPv4 prefix [1] |
Prefix length, prefix |
Yes |
|
Source IPv4 prefix [2] |
Prefix length, prefix |
Yes |
|
IP protocol [3] |
One or more (operator, value) pairs |
Partial. No support for multiple values other than ‟TCP or UDP”. |
|
Port [4]1 |
One or more (operator, value) pairs |
Yes |
|
Destination port [5] |
One or more (operator, value) pairs |
Yes |
|
Source port [6] |
One or more (operator, value) pairs |
Yes |
|
ICMP type [7] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
|
ICMP code [8] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
|
TCP flags [9] 2
|
One or more (operator, bitmask) pairs |
Yes |
|
Packet length [10] |
One or more (operator, value) pairs |
Yes |
|
DSCP [11] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
|
Fragment [12] |
One or more (operator, bitmask) pairs |
Partial. No support for matching DF bit, first-fragment or last-fragment. |
The NLRI of a FlowSpec IPv6 or FlowSpec-VPN IPv6 route can contain one or more of the subcomponents shown in Table: Subcomponents of FlowSpec IPv6 and FlowSpec-VPN IPv6 NLRI.
| Subcomponent name [type] | Value encoding | SR OS support |
|---|---|---|
|
Destination IPv6 prefix [1] |
Prefix length, prefix offset, prefix |
Partial. No support for prefix offset. |
|
Source IPv6 prefix [2] |
Prefix length, prefix offset, prefix |
Partial. No support for prefix offset. |
|
Next header [3] |
One or more (operator, value) pairs |
Partial. Only a single value supported. |
|
Port [4]1 |
One or more (operator, value) pairs |
Yes |
|
Destination port [5] |
One or more (operator, value) pairs |
Yes |
|
Source port [6] |
One or more (operator, value) pairs |
Yes |
|
ICMP type [7] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
|
ICMP code [8] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
|
TCP flags [9] |
One or more (operator, bitmask) pairs |
Partial. Only SYN and ACK flags can be matched. |
|
Packet length [10] |
One or more (operator, value) pairs |
Yes |
|
Traffic class [11] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
|
Fragment [11] |
One or more (operator, bitmask) pairs |
Partial. No support for matching Last Fragment. |
|
Flow label [13] |
One or more (operator, value) pairs |
Partial. Only a single value is supported. |
Table: IPv4 FlowSpec actions summarizes the actions that may be associated with FlowSpec IPv4 and FlowSpec-VPN IPv4 routes. Table: IPv6 FlowSpec actions summarizes the actions that may be associated with FlowSpec IPv6 and FlowSpec-VPN IPv6 routes.
| Action | Encoding | SR OS support |
|---|---|---|
Rate limit |
Extended community type 0x8006 |
Yes |
Sample/log |
Extended community type 0x8007 S-bit |
Yes |
Next entry |
Extended community type 0x8007 T-bit |
— |
Redirect to VRF |
Extended community type 0x8008 |
Yes |
Mark traffic class |
Extended community type 0x8009 |
Yes |
Redirect to IPv4 |
Extended community type 0x010c |
Yes |
Redirect to IPv6 |
Extended community type 0x000c |
— |
Redirect to LSP |
Extended community type 0x0900 |
Partial, only support for ID-type 0x00 (localized ID) |
| Action | Encoding | SR OS support |
|---|---|---|
rate limit |
Extended community type 0x8006 |
Yes |
sample/log |
Extended community type 0x8007 S-bit |
Yes |
next entry |
Extended community type 0x8007 T-bit |
— |
Redirect to VRF |
Extended community type 0x8008 |
Yes |
Mark traffic class |
Extended community type 0x8009 |
Yes |
Redirect to IPv4 |
Extended community type 0x010c |
— |
Redirect to IPv6 |
Extended community type 0x000c |
Yes |
Redirect to LSP |
Extended community type 0x0900 |
Partial, only support for ID-type 0x00 (localized ID) |
FP4-based platforms support multiple (operator, bitmask) pairs, provided a single TCP flag bit is matched in each bitmask pair and the match bit is set to 0, resulting in an AND operation between the TCP flags.
Multiple TCP flags can be set in the same (operator, bitmask) pair, provided there is a single pair in the NLRI component with match bit is set to 1 and not bit set to 0.