unicast route の変更により,flowspec validation は走るか
flowspec は forwarding に関するルールをルーター間で伝え合うプロトコルで,「他者から受け取ったルールを適用する前にvalidation しなさい」と仕様で決まっている.
では,validation するのはいつだろう?
- flowspec route を受け取ったとき
- flowspec route に関連するunicast route に変更があったとき
1 . は当然として,2 . のタイミングでvalidation が走るかどうかで振る舞いが大きく変わりそう.
RFC5575 によれば
A flow specification received from an external autonomous system will need to be validated against unicast routing before being accepted.
と書かれているものの,「いつvalidate するか」については細かく規定されていない.関連I-D にもない.
いつものように実装にまかされてるやつなので,Juniper vSRX, Cisco IOS-XRv で試してみた.
環境
eBGP ピアを2 ルーター間で張り,
- unicast route を1つずつ広告する
- destination prefix が同じflowspec route も1つずつ広告する
- ピアを張ったまま,1 . をwithdraw して2 . の経路をvalidate し直すかを見る
結果
Juniper vSRX, Cisco IOS-XRv とも unicast route の変更時にもvalidation が走る.
妥当な動きというか,直観的でよかった.そうでなければ「validation fail するはずなのに動いてる」「ebgp ピアがflap したらflowspec 動作が変わる」「soft clear したら動作が変わる」「flowspec route を止めて出し直したら動作が変わる」みたいになる.
以下,参考まで.
設定
Juniper vSRX
routing-options { static { route 10.0.1.0/24 discard; # deactivate したり activate したりする } autonomous-system 64600; flow { route flow1 { match destination 10.0.1.0/24; then discard; } } } protocols { bgp { group ebgp { family inet { unicast; flow; } export redistribute-static; peer-as 64601; neighbor 192.168.0.74; } } } policy-options { policy-statement redistribute-static { from protocol static; then accept; } }
Cisco IOS-XRv
class-map type traffic match-all flow1 match destination-address ipv4 10.0.2.0 255.255.255.0 ! end-class-map ! policy-map type pbr drop1 class type traffic flow1 drop ! class type traffic class-default ! end-policy-map ! route-policy permit-all pass end-policy ! router static address-family ipv4 unicast 10.0.2.0/24 Null0 ! no したり入れたりする ! ! router bgp 64601 address-family ipv4 unicast redistribute static ! address-family ipv4 flowspec ! neighbor-group ebgp remote-as 64600 address-family ipv4 unicast route-policy permit-all in route-policy permit-all out soft-reconfiguration inbound always ! address-family ipv4 flowspec route-policy permit-all in route-policy permit-all out soft-reconfiguration inbound always ! ! neighbor 192.168.0.67 use neighbor-group ebgp ! ! flowspec address-family ipv4 service-policy type pbr drop1 ! ! end
unicast route があるとき
koji@vsrx> show route table inetflow.0 detail inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) ... 10.0.2/24,*/term:2 (1 entry, 1 announced) *BGP Preference: 170/-101 Next hop type: Fictitious Address: 0x8f3df04 Next-hop reference count: 2 State: <Active Ext> Local AS: 64600 Peer AS: 64601 Age: 10:38 Task: BGP_64601.192.168.0.74+179 Announcement bits (1): 0-Flow AS path: 64601 I Communities: traffic-rate:64601:0 Accepted # Accept されている Validation state: Accept, Originator: 192.168.0.74 Via: 10.0.2.0/24, Active Localpref: 100 Router ID: 172.16.0.3
RP/0/0/CPU0:ios#sh bgp ipv4 flowspec Dest:10.0.1.0/24 Thu May 22 10:52:24.962 UTC BGP routing table entry for Dest:10.0.1.0/24/40 Versions: Process bRIB/RIB SendTblVer Speaker 6 6 Last Modified: May 22 10:46:16.486 for 00:06:08 Paths: (1 available, best #1) Not advertised to any peer Path #1: Received by speaker 0 Not advertised to any peer 64600, (received & used) 0.0.0.0 from 192.168.0.67 (172.16.0.2) ! best になっている Origin IGP, localpref 100, valid, external, best, group-best Received Path ID 0, Local Path ID 1, version 6 Extended community: FLOWSPEC Traffic-rate:0,0
unicast route がないとき
koji@vsrx> show route table inetflow.0 detail all ... 10.0.2/24,*/term:N/A (1 entry, 0 announced) BGP /-101 Next hop type: Fictitious Address: 0x8f3df04 Next-hop reference count: 2 State: <Hidden Ext> Local AS: 64600 Peer AS: 64601 Age: 17:41 Task: BGP_64601.192.168.0.74+179 AS path: 64601 I Communities: traffic-rate:64601:0 # Reject されている Validation state: Reject, Originator: 192.168.0.74 Via: 0.0.0.0/0, Active Localpref: 100 Router ID: 172.16.0.3
RP/0/0/CPU0:ios#sh ip bgp ipv4 flowspec Dest:10.0.1.0/24 Thu May 22 10:58:36.526 UTC BGP routing table entry for Dest:10.0.1.0/24/40 Versions: Process bRIB/RIB SendTblVer Speaker 7 7 Last Modified: May 22 10:54:16.486 for 00:04:20 Paths: (1 available, no best path) Not advertised to any peer Path #1: Received by speaker 0 Not advertised to any peer 64600, (received & used) 0.0.0.0 from 192.168.0.67 (172.16.0.2) ! invalid になっている Origin IGP, localpref 100, valid, external, invalid flowspec-path Received Path ID 0, Local Path ID 0, version 0 Extended community: FLOWSPEC Traffic-rate:0,0