search

osrg / gobgp

BGP implemented in the Go Programming Language
https://osrg.github.io/gobgp/
Apache License 2.0
3.59k stars 684 forks source link

Limit number of announces in GoBGP RIB per AFI #2749

Open pavel-odintsov opened 9 months ago

pavel-odintsov commented 9 months ago

Hello!

I hope you're doing well.

I'm trying to approach one of the pretty curious cases related with limitation on number of BGP Flow Spec announces which may be imposed by remote side.

There is a pretty short list of ISPs which offer BGP Flow Spec to their customers. For security and validation reasons they limit number of BGP Flow Spec announces received by third party by some pretty low number. Let's say 50 and when we reach this number they shutdown BGP Flow Spec session with customer which leads to withdrawal of all announces which caused havoc and exposes networks to DDoS.

I know that option to limit number of announces received from remote peer exists in GoBGP:

max-prefixes = 1000

We're looking to option to implement limit on number of announces GoBGP stores in local RIB.

Our expected behaviour when limit is reached to receive error when we attempt to add prefix:

gobgp global rib add 10.33.0.0/16 -a ipv4

We clearly can implement it from our side but I think it may be beneficial for other customers to have it.

What do you think about it?

fujita commented 9 months ago

Other BGP implementations support such feature?

pavel-odintsov commented 9 months ago

Hello!

Thank you for reply!

I'm not aware of such capabilities from vendors but friend of mine pointed to this capability in Openconfig schema for BGP:

https://openconfig.net/projects/models/schemadocs/yangdoc/openconfig-network-instance.html#network-instances-network-instance-protocols-protocol-bgp-global-afi-safis-afi-safi-ipv4-unicast-prefix-limit-config

If I interpret documentation correctly it provides an option to limit number of active announces per AFI locally.

On Fri, 1 Dec 2023 at 08:06, FUJITA Tomonori @.***> wrote:

Other BGP implementations support such feature?

— Reply to this email directly, view it on GitHub https://github.com/osrg/gobgp/issues/2749#issuecomment-1835467015, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAU56ZRMU2JLRJPVZOQTVXDYHFQTVAVCNFSM6AAAAAA77ILC26VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZVGQ3DOMBRGU . You are receiving this because you authored the thread.Message ID: @.***>

fujita commented 9 months ago

This is maximum number of prefixes that will be accepted from a peer?

pavel-odintsov commented 9 months ago

I do not think so. This one is a global number of prefixes per AFI / SAFI in local RIB. I found this conversation and it has some details about exactly this topic: https://github.com/openconfig/public/issues/13