BGP Flowspec Redirect to VPN
RD Extended CommunityHuawei Technologieslucy.yong@huawei.comHuawei TechnologiesHuawei Bld., No.156 Beiqing Rd.Beijing100095Chinazhuangshunwan@huawei.comHuawei Technologies101 Software Avenue,Nanjing210012Chinahaoweiguo@huawei.comThis document defines a new type of the redirect extended community,
called as Redirect to VPN RD Extended Community. When activated, the
Redirect to VPN RD Extended Community is used to identify the unique VPN
instance within a router.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119."Dissemination of Flow Specification Rules" ,
commonly known as BGP Flowspec, provided for a BGP Extended Community
[RFC4360] that served to redirect traffic that
matched the flow specification's Network Layer Reachability Information
(NLRI) to a Virtual Routing and Forwarding (VRF) instance that lists the
specified route-target in its import policy. In that RFC, the Redirect
Extended Community was documented as follows: updates RFC 5575 ("Dissemination of Flow
Specification Rules") to clarify the formatting of the BGP Flowspec
Redirect Extended Community. This document defines the following
redirect extended communities:Following example is a case used in a backbone network.Traffic Analyzer is installed at the edge of the backbone to detect
the attack.Scrubbing Center is installed at the edge of the backbone tackle the
attack.VRF scrubbing-vpn is configured on R1 and R2. A default route in R1's
scrubbing-vpn VRF is configured to reach the Scrubbing Center, and
MP-BGP is configured to advertise the default route from VRF
scrubbing-vpn to the remote router R2. +-----+ ip vpn-instance vpn2
| FlowSpec rule with RD: 200:1
| Redirect RT: 100:1 IRT: 10:1 100:1
| ERT: 10:1
| <------Redirect DDoS Traffic
| to Scrubbing Center from R2
| +----------+
| |Scrubbing |
+---+Center |
+----------+
Figure 1 Redirect DDoS Traffic to Scrubbing Center Using Redirect VPN RT
]]>Upon detecting the attack target to the user of the backbone
network, Traffic Analyzer will push a Flowspec rule to R1 with Redirect
RT: 100:1.R1 will advertise the receiving Flowspec rule to R2.If the VRF scrubbing-vpn on R2 is the only VRF routing instance, then
the receiving Flowspec rule from R1 can be imported by the VRF routing
instance scrubbing-vpn. The attack traffic that matches the Flowspec
rule on R2 will be redirected to the VRF scrubbing-vpn and sent to the
Scrubbing Center.However in this case, there are several local instances on R2 can
match the Redirect RT: 100:1(as shown in following table). To make it
work, according to RFC 5575, an operator has to configure R2 so that
'Redirect to VPN' will point to the scrubbing-vpn, which introduces
operation complex and/or prone to an error. To avoid this configuration,
a unique RT value for BGP FS 'Redirect to VPN' action has to be
selected, which can be an operation complex in a large network.The reason for the above issue is that the IRT isn't unique on one
router, for example, IRT 100:1 can be assigned to multiple VRF
instances: vpn1, scrubbing-vpn and vpn2.The Route Distinguisher is unique on one router, In order to address
this operational concern, this document introduces a new type of the
redirect extended community, called as Redirect to VPN RD Extended
Community, When activated, the Redirect to VPN RD Extended Community is
used to identify the unique VPN instance within a router.This document defines a new type of the redirect extended community,
called as Redirect to VPN RD Extended Community. This extended community
is a new transitive extended community with the Sub-Type field is TBD.
The IANA registry of BGP Extended Communities clearly identifies
communities of specific formats: "Two-octet AS Specific Extended
Community" , "Four-octet AS Specific Extended
Community" , and "IPv4 Address Specific Extended
Community" . Route Targets identify this format in the high-order (Type) octet
of the Extended Community, Redirect to VPN RD Extended Community uses
the same mechanismThis document defines the following VPN RD Extended Communities:It should be noted that the low-order nibble of the Redirect's Type
field corresponds to the Route Target Extended Community format field
(Type). (See Sections 3.1, 3.2, and 4 of [RFC4360] plus Section 2 of
[RFC5668].) The low-order octet (Sub-Type) of the Redirect to VPN RD
Extended Community is TBD, in contrast to 0x02 for Route Targets and
0x08 for Redirect to VPN RT Extended Community.Upon detecting the attack target to the user of the backbone network,
Traffic Analyzer will push a Flowspec rule to R1 with Redirect VPN RD:
100:1.R1 will advertise the receiving Flowspec rule to R2.In R2, the receiving Flowspec rule from R1 can be imported by the VRF
routing instance scrubbing-vpn. The attack traffic that matches the
Flowspec rule on R2 will be correctly redirected to the VRF
scrubbing-vpn and sent to the Scrubbing Center. +-----+ ip vpn-instance vpn2
| FlowSpec rule with RD: 200:1
| Redirect VPN RD: 100:1 IRT: 10:1 100:1
| ERT: 10:1
| <------Redirect DDoS Traffic
| to Scrubbing Center from R2
| +----------+
| |Scrubbing |
+---+Center |
+----------+
Figure 3: Redirect DDoS Traffic to Scrubbing Center Using Redirect VPN RD
]]>The above procedures assume that all PEs are upgraded to support the
Redirect to VPN RD Extended Community.TBD.TBD.