Support for Long-lived BGP Graceful Restart

[pavel-odintsov]

Hello, Thomas!

On ENOG9 we have really awesome report about DDoS mitigation for Russia's greatest IX (http://www.enog.org/presentations/enog-9/44-msk-ix-enog-9-kazan.pdf) and they described very interesting topic about BGP persistency.

Case is really simple. We have huge attack to the network with multiple vectors (udp, tcp) and we have mitigated significant part of attack with Flow Spec.

But in some time attack changes vector (for example, to ICMP) and kill whole network. In this time we will lost BGP sessions and already loaded flow spec rules will be dropped from all routers/firewalls. Really worst case.

But this feature could be solved with some sort of timeout until drop announces from disconnected peer. I.e. we need persistency for BGP and BGP Flow SPEC NLRI.

BGP persistency become supported in recent release of Cisco IOS: http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/general/release/notes/reln_522a9k.html#concept_122333ADDC0B491FAA28A05045B18510

And my voice for BGP persistency support for ExaBGP. Some nice articles there http://www.slideshare.net/bduvivie/bgp-flowspec-phase-2 and there https://datatracker.ietf.org/doc/draft-uttaro-idr-bgp-persistence/

Thank you!

Thomas' edit: Latest draft https://www.ietf.org/archive/id/draft-uttaro-idr-bgp-persistence-03.txt

[thomas-mangin]

Hi - no objection to add this feature ( and some of the missing FlowSpec new drafts ) but I am in the middle of some other core work, so it will have to wait a little.

[pavel-odintsov]

Really awesome to hear this! No strict ETA but will be fine to get in in 6-12 months when enough amount of vendors will add this features =)

[thomas-mangin]

Before I can implement this feature, I will need access to a router / vm which implement the feature ( so I can check the capability is sent correctly and make sure to use the right value for the LLGR_STALE / NO_LLGR Community ).

[pavel-odintsov]

Hello!

Thanks for interest! Will try to find test laboratory.

Sincerely yours, Pavel Odintsov

[pavel-odintsov]

Hello, Tom!

What about this https://community.gns3.com/thread/3747 ?

[thomas-mangin]

Thank you for the information. I have no GNS3 lab but I will look when I can at what Cisco did.

[thepacketgeek]

I've tried using FlowSpec on the XRv and you can only configure the client side. I received an error trying to commit the following commands:

RP/0/0/CPU0:XRv1(config)# flowspec
RP/0/0/CPU0:XRv1(config-flowspec)# local-install interface-all
RP/0/0/CPU0:XRv1(config)# commit
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors
RP/0/0/CPU0:XRv1(config)#show conf fail
Fri Jun 19 21:44:07.701 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.

flowspec
 local-install interface-all
!!% 'FlowSpec' detected the 'warning' condition 'FS MGR': Not supported

[thomas-mangin]

Hi @thepacketgeek.

Is this message released to this thread ? which is about the implementation of a new draft.

[thepacketgeek]

Yes, I was replying to the thread that Pavel posted on the GNS3 forum about the XRv 5.2.2 release. Just stating that it wouldn't work to test FlowSpec because the feature is not supported on the XRv.

[xiaopeng163]

XRv can't install flowspec rules in local interface, because that need hardware support, but XRv just is a software router.

But you can use that for basic flowspec update sending and receiving

RP/0/0/CPU0:XR5#sh flowspec ipv4 detail 
Wed Jul 15 04:54:43.905 UTC

AFI: IPv4
 Flow           :Dest:192.85.2.3/32,Source:192.85.1.3/32
  Actions       :Traffic-rate: 50000000 bps DSCP: cs3 Nexthop: 192.85.3.3  (policy.1.fs)
RP/0/0/CPU0:XR5#
RP/0/0/CPU0:XR5#

[pavel-odintsov]

@xiaopeng163 it's nice option! Do you have any XRv licenses for open source developers? I would like to deploy it but can't find where I could get it.

[xiaopeng163]

@pavel-odintsov following the link https://community.gns3.com/thread/3747 i can download the iosxvr-k9-demo-5.2.2.ova, but i haven't used it. Because i usually used the Cisco internal image within cisco. So i don't know how to use it for outside people.