No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of BGP Flow Specification

Overview of BGP Flow Specification

Definition

BGP Flow Specification is used to protect the device against denial-of-service (DoS) and distributed DoS (DDoS) attacks.

Purpose

DoS and DDoS attacks pose a grave threat to network security. An attacker can control thousands of devices to attack the same destination address, network segment, or a server. Such attacks cause network congestion and can even cause a server to fail to provide services due to excessive CPU usage.

Traditionally, there are two techniques for protecting the system against DoS or DDoS attacks: traffic classification and traffic redirection. However, the techniques have defects, as listed in Table 4-1.

Table 4-1 Defects of traffic classification and traffic redirection

Preventative Technique

Technique Description

Defects

Traffic classification

Traffic filtering rules and quality of service (QoS) policies are configured to reduce DoS and DDoS attacks on the network.

The technique has the following defects:
  • Difficult to ensure real-time deployment of traffic policies. To reduce DoS and DDoS attacks, coordination among network service providers is necessary to identify attack sources.

  • Difficult to maintain traffic policies. Network administrators need to frequently modify traffic policies based on the characteristics of attack traffic.

Traffic redirection

The next hop of the route destined for the attack target is modified based on a routing policy.
  • The next hop of the route is set to a blackhole, and attack traffic is discarded.

  • The next hop of the route is set to a specified device responsible for filtering traffic to ensure proper processing of service traffic.

The technique has the following defects:
  • The traffic filtering rule is simplistic. Only destination addresses can be used as a basis for traffic filtering.

  • Traffic filtering information and routing information are transmitted together, which complicates maintenance.

BGP Flow Specification helps correct the preceding defects:
  • Improves information maintainability using BGP Network Layer Reachability Information (NLRI) defined in standard protocols to transmit traffic filtering information. This ensures separate transmission of traffic filtering information and routing information.

  • Allows more specific traffic filtering rules using various if-match clauses.

BGP Flow Specification supports BGP public-network Flow Specification, BGP VPN Flow Specification, and BGP VPNv4 Flow Specification. Table 4-2 lists their differences.
Table 4-2 Comparison among BGP public-network Flow Specification, BGP VPN Flow Specification, and BGP VPNv4 Flow Specification

BGP Flow Specification

Usage Scenario

Address Family

BGP public-network Flow Specification

Applies to public-network scenarios.

BGP-Flow address family, BGP-IPv6-Flow address family

BGP VPN Flow Specification

Applies to VPN scenarios where BGP Flow Specification routes are not transmitted over the public network between VPNs.

BGP-Flow VPN instance IPv4 address family, BGP-Flow VPN instance IPv6 address family

BGP VPNv4 Flow Specification

Applies to VPN scenarios where BGP Flow Specification routes are transmitted over the public network between VPNs.

BGP-Flow VPN instance IPv4 address family and BGP-Flow VPNv4 address family

Benefits

BGP Flow Specification offers the following benefits:
  • Monitors the network in real time: Traffic is sampled periodically, and a specified action is taken immediately to block attack traffic.

  • Offers attack prevention defense: Traffic policies are configured manually based on common characteristics of attack traffic.

  • Lowers the cost: A traffic policy does not need to be created on all devices, which improves maintainability at lower cost.

  • Minimizes the attack scope: BGP Flow Specification routes can be transmitted between autonomous systems (ASs) so that attack traffic can be filtered out or controlled on devices nearest to attack sources.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12687

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next