BgpGroup filter

33 views
Skip to first unread message

gg

unread,
Nov 12, 2020, 11:06:54 AM11/12/20
to sFlow-RT
Hi Peter,

I'm sorry I've being bombing you with questions lately, I promise I'll stop soon!

I am trying to modify the filter when using BGP information to only select flows where the destination address is included on prefixes received from BGP, and has some specific community. Again, this needs to be the destination address, not the source address of the flow. The purpose of this filter would be to protect inbound attacks, directed to local prefixes (defined by those communities).

This is the filter I want to modify:

filter += '&eq:bgpsourceas:bgpas=false&eq:bgpdestinationas:bgpas=true';

There's the flowkey "bgpcommunities", but how could I associate it with destination addresses only.

Related to this, how come the prefix information has the following information:

{ "prefix": "XXX.XXX.XXX.XXX/19", "origin": "IGP", "aspath": "ASN1-ASN2", "valueIngress": 3.7641340777083474E8, "valueEgress": 2.286901615970851E8, "nexthop": "YYY.YYY.YYY.YYY", "communities": "ASN1:ZZZ" }

But /flowkeys/json has the following bgp related metrics. Can I access that information for that prefix other than on queries?

"bgpnexthop": 6,
 "bgpcommunities": 6,
"bgpsourcepeeras": 6,
"bgpsourceas": 6,
"bgpdestinationaspath": 6,
"bgpas": 6,
"bgpdestinationas": 6,
"bgpdestinationpeeras": 6

For example, how could i check what's the value of "bgpsourceas" for the example prefix showed before. Anyway to do that?

Regards,
GG

gg

unread,
Nov 12, 2020, 12:07:35 PM11/12/20
to sFlow-RT
Peter,

I'm already filtering prefixes with those communities on the router, so destination addresses are all prefixes received from BGP. Perhaps a simpler way would be something like "all routes received from BGP are destinations" for the filter. But I can't find how to that either. Can you think of anything?

Peter Phaal

unread,
Nov 12, 2020, 12:47:48 PM11/12/20
to sFlow-RT
The bgpnexthop, bgpdestinationaspath, bgpdestinationpeeras, bgpdestinationas, bgplocalpref, bgpmed, bgpas, bgpcommunities are all looked up based on the destination address. The only field looked up by source address are bgpsourceas and bgpsourcepeeras.

Adding a bgpcommunities filter to the flow definition would be one way to exclude specific communities. You would need to use a regular expression in the filter (~) to match a specific community in the list. 

An alternative would be to add bgpcommunities as one of your flow keys. You could then change your policy in the eventHandler() based on the value of the field. You can add additional bgp attributes to the flow definition if they would be helpful in deciding the actions you want to take in the eventHandler().

gaston gutierrez

unread,
Nov 12, 2020, 2:58:05 PM11/12/20
to Peter Phaal, sFlow-RT
Peter,

I've tried sourcing an icmp flood from one prefix received from BGP, matching some specific community, and it is blocked. If it isn't matching the community it isn't blocked. That means that "bgpcommunities" is being considered in the filter for the source address as well.

Same test where the destination is a prefix received from BGP, matching a community or not, the results are the same, but that is expected.

--
You received this message because you are subscribed to a topic in the Google Groups "sFlow-RT" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sflow-rt/xpvCHKZ9kTU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/522a9e19-88b6-4f5e-a670-8d9c2448e640n%40googlegroups.com.

gaston gutierrez

unread,
Nov 12, 2020, 3:09:32 PM11/12/20
to Peter Phaal, sFlow-RT
Nevermind, I thought I had disable echo replies, those were triggering the threshold.
Reply all
Reply to author
Forward
0 new messages