Source-IP-Origin-AS Filter for
BGP Flow SpecificationHuawei156 Beiqing RoadBeijing100095P.R. Chinarainsword.wang@huawei.comChina TelecomBeiqijia Town, Changping DistrictBeijing102209P.R. Chinawangaj3@chinatelecom.cnHuawei156 Beiqing RoadBeijing100095P.R. Chinazhuangshunwan@huawei.comHuawei156 Beiqing RoadBeijing100095P.R. Chinajie.dong@huawei.comHuawei156 Beiqing RoadBeijing100095P.R. Chinayang.huang@huawei.comHuawei156 Beiqing RoadBeijing100095P.R. Chinaqintao11@huawei.com
Routing
IDR Working GroupThis document defines an extension to the Border Gateway Protocol
(BGP) Flow Specification (FlowSpec) to enable filtering based on the
Origin Autonomous System (AS) of the source IP address. This extension
is particularly useful in mitigating Distributed Denial of Service
(DDoS) attacks where the source IP addresses are dynamic but belong to a
specific source AS.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 when, and only when, they
appear in all capitals, as shown here.BGP Flow Specification (FlowSpec), defined in and , allows for the
dissemination of traffic filtering rules. Current FlowSpec components
support filtering by destination prefix, source prefix, and various
Layer 4 parameters.In certain DDoS mitigation scenarios, an operator may need to apply
rate-limiting or filtering to all traffic sourced from a particular
network (Autonomous System), even when the specific souce IP prefixes
within that AS are numerous or rapidly changing. Manually updating
hundreds of prefix-based FlowSpec rules is inefficient. This document
introduces a new FlowSpec component that allows operators to use the
Source Origin AS as a matching criterion.FS: Flow SpecificationSource-IP-Origin-AS: The origin AS number of the source IP
addressThis document proposes a new flow specification component type that
is encoded in the BGP Flowspec NLRI. The following new component type is
defined.Source-IP-Origin-ASType TBD1 - Source-IP-Origin-ASEncoding: <type (1 octet), [op, value]+>Contains a set of {operator, value} pairs that are used to match the
Source-IP-Origin-AS (i.e. the origin AS number of the source IP
address).The operator byte is encoded as:Where:e - end-of-list bit. Set in the last {op, value} pair in the
list.a - AND bit. If unset, the previous term is logically ORed with the
current one. If set, the operation is a logical AND. It MUST be unset in
the Source-IP-Origin-AS filter.len - The length of the value field for this operator given as (1
<< len). This encodes 1 (len=00), 2 (len=01), 4 (len=10), and 8
(len=11) octets.lt - less than comparison between data and value.gt - greater than comparison between data and value.eq - equality between data and value.The bits lt, gt, and eq can be combined to produce match the
Source-IP-Origin-AS filter or a range of Source-IP-Origin-AS filter(e.g.
less than AS1 and greater than AS2).The value field is encoded as:Per section 10 of , If a receiving BGP
speaker cannot support this new Flow Specification component type, it
MUST discard the NLRI value field that contains such unknown components.
Since the NLRI field encoding (Section 4 of ) is
defined in the form of a 2-tuple <length, NLRI value>, message
decoding can skip over the unknown NLRI value and continue with
subsequent remaining NLRI.In cases of multi-homed prefixes with multiple Origin ASes, the match
succeeds if any of the valid Origin ASes match the filter.When a BGP speaker receives a FlowSpec update containing the
Source-IP-Origin-AS component:It MUST determine the Origin AS of the souce IP of the transit
packet by performing a lookup in its local BGP RIB.If the packet's source IP matches a prefix whose BGP path has an
AS_PATH where the rightmost AS (the origin) matches the value in the
FlowSpec rule, the action (e.g., rate-limit, discard) MUST be
applied.This section describes how to use this function in a simple scenario.
Considering the topology shown in Figure 3. In AS64597's R2, if the ISP
AS64597 wants to redirect all packets originating from AS64598 to IP
Prefix 61:"first go to R3, then forward them to IP Prefix 61", the ISP AS64597
can use the traditional method or the method defining in this draft.Using the traditional method, the ISP AS64597 needs to setup multiple
"Source Prefix + Destination Prefix" rules in Router R2 as
following:Using the method defining in this draft, the ISP AS64597 needs to
setup only one "Source IP Origin AS + Destination Prefix" rule in Router
R2 as following:Obviously, the new method defining in this draft saves a lot of entry
spaces on the control plane and forwarding plane, and it would greatly
simplify the operation of the control plane, and the more source
prefixes an AS has, the more obvious the benefit.In addition to the security considerations in [RFC8955], operators
must be aware of:Routing Inconsistency: If different routers in the network have
different views of the BGP table, the "Origin AS" for a given IP may
differ, leading to inconsistent filter application.AS_PATH Manipulation: An attacker could potentially spoof or
prepend ASes to bypass filters if the local BGP table is
compromised.Validation: Implementations SHOULD ensure that FlowSpec rules are
validated against the originating peer to prevent unauthorized
AS-based filtering across administrative boundaries.IANA is requested to a new entry in "Flow Spec component types
registry" with the following values:TBDTBD