Filter based on BGP protocol status ...

[Xavier Trilla]

>I pretty sure that you already know that, and probably already heard that... But you should not do business with companies like that one.

Well, I wont say who, but I’m referring to a big DIA European provider (Really good providers besides this specific issue)… But yeah, I hate when they just ignore our prepending. If the attacking IP belongs to the specific provider AS number, the traffic will be delivered directly by the DIA we have.

De: Douglas Fischer <fischerdouglas at gmail.com>
Enviado el: jueves, 24 de marzo de 2022 23:06
Para: Xavier Trilla <xavier.trilla at clouding.io>
CC: Alarig Le Lay <alarig at swordarmor.fr>; BIRD Users <bird-users at network.cz>
Asunto: Re: Filter based on BGP protocol status ...

I pretty sure that you already know that, and probably already heard that... But you should not do business with companies like that one.



Em qui., 24 de mar. de 2022 11:09, Xavier Trilla <xavier.trilla at clouding.io<mailto:xavier.trilla at clouding.io>> escreveu:
>More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.

We tried, but some providers basically ignore everything if you have a direct connection with them. They just forward you the traffic despite prepending or localpref.

Thanks!
Xavier.

-----Mensaje original-----
De: Bird-users <bird-users-bounces at network.cz<mailto:bird-users-bounces at network.cz>> En nombre de Alarig Le Lay
Enviado el: jueves, 24 de marzo de 2022 13:43
Para: bird-users at network.cz<mailto:bird-users at network.cz>
Asunto: Re: Filter based on BGP protocol status ...

On Thu 24 Mar 2022 07:43:03 GMT, Douglas Fischer wrote:
> I know that it is not the focus of your question, and also is not the
> focus on this mail list, but...
>
> To that kind of automation, the best BGP engine you will find is
> ExaBGP. It is not focuses in been in compliance with all the concepts
> of a routing system itself. It's focus is exactly automations using API.
>
> The scenario you described triggered-me something like a Zabbix
> looking to the status of BGP sessions of bird, and based on that doing
> API queries to a ExaBGP that is a iBGP peer of Bird.
>
> This model is used on many tools focused in anomaly detection for
> triggering DDoS mitigation.
>
>
> But, if your intention is a much simpler scenario, the suggestion
> Maria made is the most common!
> You can used also some BGP communities(if your upstream supports it)
> for no-export for some prefixes... Sometimes it helps.

More simply, you can add a community on the non-ddos-protected provider to make them lower the localpref to peer routes, and stop the prepend.

> Em qua., 23 de mar. de 2022 12:10, Xavier Trilla
> <xavier.trilla at clouding.io<mailto:xavier.trilla at clouding.io>>
> escreveu:
>
> > Hi,
> >
> >
> >
> > I’m quite sure this cannot be done, but I also know there is a lot
> > of BIRD I still don’t know, so here it goes:
> >
> >
> >
> > Is there any way to filter a export route based on another BGP
> > session status?
> >
> >
> >
> > For the sake of simplicity let’s say we have just two providers A
> > and B, and I only want to export some specific routes to B when A is down.
> >
> >
> >
> > I can do it externally with a quite simple script (For example:
> > Check if the provider is down via CLI and if it’s down insert the
> > routes I want to export to a kernel table and export that to
> > provider B) but it would be nice if I could do it directly in Bird.
> >
> >
> >
> > I’ve been scratching my head around this, but unless there is
> > something like if proto.A == down on the filters I don’t really see
> > how to do it (Or maybe some way to raise a global flag based on if
> > I’m receiving routes via provider B, but I don’t think that can’t be
> > done either.)
> >
> >
> >
> > Thanks for your time!
> >
> > Xavier
> >
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20220325/49b265bf/attachment.htm>