An Overview of BGP FlowSpec

I have given this presentation a few times in the last year and was asked to make this available for public consumption. Essentially, this is a brief overview of RFC 5575, entitled “Dissemination of Flow Specification Rules”, written by Danny McPherson, Jared Mauch, and others.

This standard had somewhat of a rocky beginning as there was limited vendor support, but as of recently it appears to have picked up quite a bit of steam with Cisco announcing support for the protocol in the very near future.

The benefit of BGP Flow Spec is that it allows BGP speakers to use a new BGP NLRI defining flow filter information which can then be advertised to upsteam neighbors via BGP. The primary and immediate motivation of this protocol is to provide intra and inter provider distribution of traffic filtering rules to filter DoS and DDoS attacks, however it can be used for a wide variety of applications in which filtering information must be dynamically distributed throughout a network.

I will probably make additional modifications to these slides as the protocol gains more significant foothold throughout the vendor community and as Service Providers gain more practical deployment experience. As with my other presentations, I will eventually add a voice-over to turn this into a slide-cast.

 

5 Replies to “An Overview of BGP FlowSpec”

  1. I am not sure where you are getting your info, but this is a really interesting topic. I needs to spend some time learning more or understanding more about Flowspec and I am glad I found your site. Thanks for great information I was looking for this info for a project at work.

  2. Since this is relatively new by RTBH standards does anyone know if it’s being used anywhere in the network today?

    1. Hi Doan,

      During my time at Arbor, I worked with a few customers who did implement BGP Flowspec internally so as to automate the distribution of ACLs to some of their edge routers, and also to automate some of the offramping to their mitigation devices. However, beyond that I don’t have any idea how prevalent this may be in many networks. I have a feeling this is relegated to just a few networks that have very clueful engineers…

  3. Hi Stefan,
    Very interesting info.
    Did you get the list of ISPs which support BGP flowspec?
    Would be great to see it.
    Thanks.

  4. Instead of using FSpec as an upstream filter, is it possible to rely on FSpec to inform attack target (at destination) about an eventual malicious flow?

Leave a Reply to Elvis Rahl Cancel reply

Your email address will not be published. Required fields are marked *