FRR BGP协议分析10 -- FLOW SPEC
Flowspec引入了一种新的NLRI 编码格式,用于分发流量规则流规范。基本上,IP前缀不是简单地依赖于IP前缀的目标IP地址,而是由包含规则的n元组替换。该规则可以是或多或少复杂的以下组合:
- 网络源/目标(可以是一个或另一个,或两者)。
- UDP / TCP的第4层信息:源端口,目标端口或任何端口。
- ICMP类型和ICMP代码的第4层信息。
- TCP标志的第4层信息。
- 第3层信息:DSCP值,协议类型,数据包长度,分段。
- 其他第4层TCP标志。
上述规则的组合适用于流量过滤。这被编码为特定BGP扩展社区的一部分,其行动可以从明显的重新路由(到nexthop或单独的VRF)到整形或丢弃。
12种match和action
|
BGP Flowspec NLRI Type |
Matching Field (IPv6) |
Matching Field (IPv4) |
Input Value |
|
Type1 |
IPv6 destination address |
IPv4 destination address |
Prefix length |
|
Type2 |
IPv6 source address |
IPv4 source address |
Prefix length |
|
Type3 |
IPv6 next header |
IPv4 protocol |
Multi-value range |
|
Type4 |
IPv6 source or destination port |
IPv4 source or destination port |
Multi-value range |
|
Type5 |
IPv6 destination port |
IPv4 destination port |
Multi-value range |
|
Type6 |
IPv6 source port |
IPv4 source port |
Multi-value range |
|
Type7 |
IPv6 ICMP type |
IPv4 ICMP type |
Multi-value range |
|
Type8 |
IPv6 ICMP code |
IPv4 ICMP code |
Multi-value range |
|
Type9 |
IPv6 TCP flags |
IPv4 TCP flags (2 bytes include reserved bits) |
Bit mask |
|
Type10 |
IPv6 packet length |
IPv4 packet length |
Multi-value range |
|
Type11 |
IPv6 traffic class |
IPv4 DSCP |
Multi-value range |
|
Type12 |
Reserved |
IPv4 fragment bits |
Bit mask |
Type 1: Destination prefix component
Type 2: Source prefix component
Type 3: IP Protocol component
The option byte is defined as following:
- E bit: end of option (Must be set to 1 for the last Option)
- A bit: AND bit, if set the operation between several [option/value] is AND, if unset the operation is a logical OR. Never set for the first Option
- Len: If 0 the following value is encoded in 1 byte ; if 1 the following value is encoded in 2 bytes
- Lt bit: less than comparison between the Data and the given value
- Gt bit: greater than comparison between the Data and the given value
- Eq bit: equal comparison between the Data and the given value
Type 4: Port number component
Type 5: Destination port number component
Type 6: Source port number component
Type 7: ICMP Type component
Type 8: ICMP Code component
Type 9: TCP Flags component
The option byte is defined as following:
- E bit: end of option (Must be set to 1 for the last Option)
- A bit: AND bit, if set the operation between several [option/value] is AND, if unset the operation is a logical OR. Never set for the first Option
- Len: If 0 the following value is encoded in 1 byte ; if 1 the following value is encoded in 2 bytes
- NOT bit: logical negation operation between Data and the given value
- m bit: match operation between the Data and the given value
Type 10: Packet Length component
Type 11: DSCP Value component
Type 12: Fragment component
After the flow definition, Traffic Actions (rules) are encoded as Extended Community Attribute (see RFC 4360)
There are 4 types of “Action”, each of them has a dedicated Extended Community TYPE. The tab below lists the current Actions available:
Traffic-rate action:
Used for discard or rate-limit a specific flow. Discard action is actually a rate equal to zero. The remaining 4 octets carry the rate (in Bytes/sec) information.
Traffic-action action:
Used to trigger specific processing the corresponding flow. Only the last 2 Bits of the 6 bytes are currently defined as following:
- Terminal Action (bit 47): When this bit is set, the traffic filtering engine will apply any subsequent filtering rules (as defined by the ordering procedure). If not set, the evaluation of the traffic filter stops when this rule is applied.
- Sample (bit 46): Enables traffic sampling and logging for this flow specification.
Redirect action:
Traffic redirection allows to specify a “route-target” community which will be handled by the router to redirect a Flow to a specific VRF.
Traffic-marking action:
Used to force a flow to be re-writted with a specific DSCP value when it leaves the routers.
客户端处理流程
FRR实现了Flowspec客户端,也就是说BGP能够接收Flowspec条目,但不能充当管理器并发送Flowspec条目,FRR使用linux提供的PBR实现了下发的策略。
- 使用过滤流量Netfilter。 Netfilter提供了一组类似的工具ipset和iptables那些强大到足以能够过滤等流程规格过滤规则。
- 通过iproute2(通过 提供的命令)使用非标准路由表。 已经被FRR的PBR守护进程使用,该守护进程基于IP源和目的地标准提供基于策略的基本路由。
基本配置:
router bgp <ASx>
neighbor <A.B.C.D> remote-as <ASz>
address-family ipv4 flowspec
neighbor A.B.C.D activate
调试命令:
show bgp ipv4 flowspec [detail | A.B.C.D]
show pbr ipset IPSETNAME | iptable
show ip route table TABLEID
[no] debug bgp flowspec
[no] debug bgp pbr [error]
收包处理流程
bgp_process_packet 处理BGP 收到的报文,FLOW SPEC是update的消息,
----调用bgp_update_receive处理update消息
---- bgp_attr_parse 解析update消息的attr
---- bgp_attr_ext_communities 解析 BGP_ATTR_EXT_COMMUNITIES 扩展属性为str,里面涉及flow spec的4种action,解析后存放在attr->ecommunity里面
---- bgp_mp_reach_parse解析BGP_ATTR_MP_REACH_NLRI属性,里面有flow spec的12种match,存放在struct bgp_nlri的nlri里面
---- bgp_nlri_parse 继续解析NLRI
---- bgp_nlri_parse_flowspec 解析flow spec的nlri,IPV6不支持??需要支持要修改什么?
---- bgp_fs_nlri_validate 解析flow spec的12种match 属性的合法性
---- bgp_update 这个函数有点庞大,的继续看
---- bgp_process
---- bgp_process_wq
---- bgp_process_main_one
---- bgp_zebra_announce
----bgp_pbr_update_entry flowspec调用PBR 实现策略
bgp_pbr_update_entry
---- bgp_pbr_build_and_validate_entry 解析、填充flowspec的match和action
---- bgp_pbr_handle_entry 解析填充完成后,调用这个函数下发bgp pbr的策略
ACTION_TRAFFICRATE 限速、ACTION_TRAFFIC_ACTION、ACTION_MARKING dscp当前的PBR是没有显示下发的。
bgp_pbr_policyroute_add_to_zebra其余的支持的调用实现下发策略到zebra
---- bgp_pbr_policyroute_add_to_zebra_unit
---- bgp_send_pbr_ipset_match
---- bgp_send_pbr_ipset_entry_match
---- bgp_send_pbr_iptable
FRR 只支持FLOW SPEC的客户端,FRR是利用PBR实现的,PBR怎么实现的,后续再来补充