Re: [j-nsp] FlowSpec rules being installed, but not matching any traffic

2022-04-14 Thread Nathan Ward via juniper-nsp 
--- Begin Message ---

> On 14/04/2022, at 10:53 PM, Tobias Heister via juniper-nsp 
>  wrote:
> 
> Hi,
> 
> I doubt that BGP Flow Spec is systested or supported on any QFX5k platform.
> 
> Feature Explorer (while not perfect :)) does support me in that thinking: 
> https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFKey=1541=BGP+Flow+Specification


Yeah… QFX5100 (and all the Broadcom boxes, AFACT) fail open when firewall 
filters get too complex - and that complexity limit is pretty low.
Given that, having BGP be able to program those same firewall filters seems 
like a very bad idea on those boxes.

I wonder if the flowspec rules aren’t matching because the whole thing is too 
complex and it’s failing open.

--
Nathan Ward

--- End Message ---
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] FlowSpec rules being installed, but not matching any traffic

2022-04-14 Thread Tobias Heister via juniper-nsp 

Hi,

I doubt that BGP Flow Spec is systested or supported on any QFX5k platform.

Feature Explorer (while not perfect :)) does support me in that 
thinking: 
https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFKey=1541=BGP+Flow+Specification


regards
Tobias
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] FlowSpec rules being installed, but not matching any traffic

2022-04-14 Thread Paul S. via juniper-nsp 
--- Begin Message ---

Hey folks,

We're trying to build a little something where we block malicious 
traffic after detection via BGP flowspec. This is a super simple network 
with a pair of QFX5100-24Q-2P acting as our l3 gateways, which then runs 
a single VLAN.


Configuration snippets below. The problem we're seeing is that announced 
flowspec rules get installed in the rib, and on the firewall filter -- 
but that filter matches nothing, no counters get incremented. If we try 
to set traffic-rate to 0 via src/dst IPs, that doesn't work either.


What I'm seeing is very similar to 
https://www.reddit.com/r/Juniper/comments/g70f8n/flowspec_rules_not_matching_anything_at_all/


Is this a platform limitation, or am I doing something wrong?

root@member0# run show firewall filter __flowspec_default_inet__

Filter: __flowspec_default_inet__
Counters:
NameBytes  
Packets
10.1.1.2,*00 
<-- Note the empty counters
224.0.0.2,*  0   
 0



root@member0# run show route table inetflow.0 extensive

inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
10.1.1.2,*/term:1 (1 entry, 1 announced)
TSI:
KRT in dfwd;
Action(s): discard,count
*BGPPreference: 170/-101
Next hop type: Fictitious, Next hop index: 0
Address: 0xc9e3780
Next-hop reference count: 2
Next hop:
State: 
Peer AS: 1234
Age: 22:02
Validation State: unverified
Task: BGP_394727_394727.172.16.1.2
Announcement bits (1): 0-Flow
AS path: I
Communities: traffic-rate:0:0
Accepted
Localpref: 100
Router ID: 172.16.1.2
Thread: junos-main


Configs

root@member0# show protocols bgp group FLOWSPEC
type internal;
neighbor 172.16.1.2 {
local-address 172.16.1.1;
family inet {
unicast;
flow {
no-validate flowspec-import;
}
}
}

{master:0}[edit]
root@member0# show routing-options
static {
route 0.0.0.0/0 next-hop [ 1.2.3.4 ];
}
flow {
term-order standard;
}
nonstop-routing;

root@member0# show interfaces irb.1181
bandwidth 40g;
family inet {
address 10.0.0.1/24;
}


--- End Message ---
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp