search

sonic-net / sonic-buildimage

Scripts which perform an installable binary image build for SONiC
Other
724 stars 1.38k forks source link

ACL for BGP #14536

Open louishot opened 1 year ago

louishot commented 1 year ago

Hello,

I'm looking for a whitelist for BGP to allow specified IPs to establish BGP sessions then reject other. This helps with security and avoids DDoS traffic hit the control plane.

I see sonic created these rules by default I also checked this https://github.com/Azure/sonic-buildimage-msft/blob/792a1255886df5ba8e402c9f22dfff517c555304/src/sonic-host-services/scripts/caclmgrd#L62 No BGP service inside


target     prot opt source               destination         
ACCEPT     all  --  127.0.0.1            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:546:547
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4789
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spts:49152:65535 dpt:3784
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:3785
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spts:49152:65535 dpt:4784
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:179
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:179
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8888
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:8888
lguohan commented 1 year ago

this looks like new feature ask to further protect bgp from remote connection. currently sonic do not support this feature.

bluecmd commented 1 year ago

We, Kamel Networks, have implemented this in our patch set. Happy to upstream if the maintainers want it.

https://github.com/sonic-net/sonic-host-services/commit/3c5a1e9f977be7220c6b8a79f9c568b4f868338c

louishot commented 1 year ago

@bluecmd Is the iptables-based firewall processing packets by the Linux kernel or by the Hardware Packet Forwarding Engine (PFE) ? if by Linux kernel Performance is terrible, it can only process up to 1M pps

so it won't help if the packet can't be dropped by PFE

bluecmd commented 1 year ago

This particular commit is iptables, as is all other fine grained blocking that I'm aware of in SONiC. Happy to switch to a hardware based one if that's doable. Right now I'm just piggybacking on what SONIC already has

louishot commented 1 year ago

@bluecmd I see https://github.com/sonic-net/SONiC/blob/master/doc/acl/ACL-High-Level-Design.md In the Phase 1 there will be implemented basic ACL functionality: complete data flow (from input json file to ASIC), creating/removing ACL Tables and ACL Rules, rules will support simple matching (all except ranges) and permit/deny actions.

When configuring the control plane ACL it just generated some iptables rules in OS level, not sure if it was written to the Packet Forwarding Engine (in sonic call 'ASIC')