Filtering Flowspec Routes from/to BGP Peer

Ondrej Zajicek santiago at crfreenet.org
Mon Jul 23 16:57:29 CEST 2018


On Mon, Jul 23, 2018 at 03:29:27PM +0200, Tim Weippert wrote:
> Hi List, 
> 
> i currently search some informations of what filtering is possible in Bird on Flowspec (flow4/flow6) routes. As i currently understand is, that the BGP Common Fields (Community, AS_Path, etc.) is accesible and filterable, but no flow specific attribute (src, dst, ...).
> 
> As i understand it correctly, it wouldn't be possible to filter flowpsec routes on source/destination attributes. So in a normal BGP environment, i can filter flowspec per AS, but not granular as this AS are allowed to send flowspec routes with src/dst from a given prefix!?
> 
> Is something planned to implement or is it there and i'm unable to find it?

Hi

You are right, this is not possible. Technically, 'net.ip' and 'net.len'
would return dst prefix-address and prefix-length (like for regular
route) and you can use 'net ~ PREFIX' to match dst against PREFIX, but
these are undocumented hacks and may change in the future.

We are currently working on changes to filter code to make it more
flexible, so additional operations can be added in a more straightforward
way than with the current code. Although, it would make sense to at least
add accessors for src and dst as a short-term solution.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."


More information about the Bird-users mailing list