Re: [j-nsp] FlowSpec and RTBH

2019-10-17 Thread Robert Raszuk 
I see there are two questions here Marcin is asking:

> I was wondering is there a way to export family flow routes (from
> inetflow.0) to non flowspec BGP speaker?

Q1 - Can I advertise Flowspec NLRIs to non Flowspec speakers ? The answer
is clearly "No"

> For example tag Flowspec route with community and advertise this route
with
> different community to blackhole on upstream network (selective RTBH).

Q2 - Can flowspec be tagged with blackhole communities indicating the
actions yet still using match criteria to apply those selectively. The
answer is "Yes" the original 5575 RFC clearly allows so:

   A given flow may be associated with a set of attributes, depending on
   the particular application; such attributes may or may not include
   reachability information (i.e., NEXT_HOP).  *Well-known or AS-specific
   community attributes can be used to encode a set of predetermined
   actions.*


Thx,

R.


On Wed, Oct 16, 2019 at 8:44 PM Jeff Haas via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

>
>
>
> -- Forwarded message --
> From: Jeff Haas 
> To: "Marcin Głuc" 
> Cc: "juniper-nsp@puck.nether.net" 
> Bcc:
> Date: Wed, 16 Oct 2019 18:44:07 +
> Subject: Re: [j-nsp] FlowSpec and RTBH
> Marcin,
>
>
> > On Oct 9, 2019, at 07:26, Marcin Głuc  wrote:
> > I was wondering is there a way to export family flow routes (from
> > inetflow.0) to non flowspec BGP speaker?
> > For example tag Flowspec route with community and advertise this route
> with
> > different community to blackhole on upstream network (selective RTBH).
>
> I'm having difficulty following your use case.
>
> Flowspec is its own address family with its own AFI/SAFI and a rather
> nasty format.
>
> Are you asking that some internal component of a flowspec filter, like
> destination, is leaked into another address family?
>
> -- Jeff
>
>
>
>
> -- Forwarded message ------
> From: Jeff Haas via juniper-nsp 
> To: "Marcin Głuc" 
> Cc: "juniper-nsp@puck.nether.net" 
> Bcc:
> Date: Wed, 16 Oct 2019 18:44:07 +
> Subject: Re: [j-nsp] FlowSpec and RTBH
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] FlowSpec and RTBH

2019-10-16 Thread Jeff Haas via juniper-nsp 
--- Begin Message ---
Marcin,


> On Oct 9, 2019, at 07:26, Marcin Głuc  wrote:
> I was wondering is there a way to export family flow routes (from
> inetflow.0) to non flowspec BGP speaker?
> For example tag Flowspec route with community and advertise this route with
> different community to blackhole on upstream network (selective RTBH).

I'm having difficulty following your use case.

Flowspec is its own address family with its own AFI/SAFI and a rather nasty 
format.

Are you asking that some internal component of a flowspec filter, like 
destination, is leaked into another address family?

-- Jeff

--- End Message ---
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] FlowSpec and RTBH

2019-10-09 Thread Marcin Głuc 
Hi,

I was wondering is there a way to export family flow routes (from
inetflow.0) to non flowspec BGP speaker?
For example tag Flowspec route with community and advertise this route with
different community to blackhole on upstream network (selective RTBH).


-- 
Marcin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp